Security policy manager to configure permissions on computing devices

ABSTRACT

For increased device security, a security policy manager is used to configure permissions for applications installed on mobile computing devices. In one approach, an evaluation server receives data associated with a context for a computing device. Based on the received data, a policy that is applicable for the current context of the computing device is identified. The identified policy has rules regarding access permissions for software installed on computing devices. The server determines a current policy implemented on the computing device, which includes determining an access permission for software installed on the computing device. The server determines that the access permission for the installed software does not comply with the policy applicable to the current context. Based on this determination, the server revokes the access permission for the installed software.

FIELD OF THE TECHNOLOGY

At least some embodiments disclosed herein relate to permissions for computing devices, and more particularly, but not limited to configuring permissions for computing devices associated with a change of context for a computing device and/or a permission request for software on a computing device.

BACKGROUND

In many cases, application (app) permissions granted by a user on a mobile device determine what the app is allowed to do and data that can be accessed by the app. This may be access to data stored on a user's phone (e.g., contacts and media files) or hardware components (e.g., a camera or microphone). Granting permission allows the app to use the feature, and denying access prevents the app from using it.

Typically, an application cannot automatically grant itself permissions. Instead, the permissions have to be confirmed by the user. For example, an application may ask for a user to accept each of several permissions the first time the user launches the app. For example, a popup may be displayed to the user requesting the user to “allow” or “deny” each request.

Examples of various permissions that may be requested by an Android app include the following:

-   -   Body Sensors—allows access to health data and step count, from         paired heart-rate monitors, fitness trackers, and other sensors.     -   Calendar—allows apps to read calendar events.     -   Camera—taking photos and recording video.     -   Contacts—read, create, or edit contact lists, and access list of         accounts used on user's device.     -   Location—access user's location using GPS, and cellular data and         Wi-Fi.     -   Microphone—used for recording audio or for video.     -   Phone—access to user's phone number and network info (used for         making calls and VoIP, voicemail, call redirect, and editing         call logs).     -   SMS—read, receive, and send MMS and SMS messages.     -   Storage—read and write files to phone's internal and external         storage.

An app generally asks the user to confirm permissions for the app the first time the app is run, but the user typically can go back and readjust app permissions after installation. For example, the permissions enabled for a specific app can be adjusted in the apps and notifications user interface section on an Android phone. This section also presents to the user an overview of the permissions that have already been granted to an app.

In some cases, denying permissions to certain apps is advisable to keep a user's phone and data safe from malicious applications. Generally, reputable app developers only request the permissions that their application requires. However, a user might not want to use certain features tied to data extraction (e.g., for diagnostic or advertising purposes).

Also, permissions that an app requests can be checked before installing the app by reading the description in, for example, the Google Play Store. A reputable app developer should disclose how each permission is used by the app.

Permissions can be requested by apps running on any of various types of computing devices. Examples of computing devices include mobile devices (e.g., Apple iPhone or an Android phone). An Android phone can use any of various versions of the Android operating system.

Android 6.0 Marshmallow (codenamed Android M during development) is a more recent major version of the Android operating system. Marshmallow uses a new permissions architecture.

Specifically, Android Marshmallow introduces a redesigned application permissions model in which apps are no longer automatically granted all of their specified permissions at installation time. An opt-in system is now used, in which users are prompted to grant or deny individual permissions (e.g., ability to access the camera or microphone) to an application when they are needed for the first time. Applications store the grants, which can be revoked by the user at any time. The new permissions model is used by applications developed for Marshmallow using its software development kit (SDK).

Older apps continue to use the previous all-or-nothing approach. Permissions can still be revoked for those apps. However, this may prevent them from working properly. A warning may be displayed to indicate this.

In many cases, mobile devices running software that make requests for permissions are operated by a user that is employed or otherwise associated with an organization such as a business. Often, the organization desires to exercise various forms of control over such devices. One common motivation is to protect the security of computing systems of the organization.

Mobile application management (MAM) relates to software and services for provisioning and controlling access to internally developed and commercially available mobile apps used in business settings on both company-provided and “bring your own” smartphones and tablet computers.

Enterprise mobile application management is increasingly important due to the widespread adoption and use of mobile applications in business settings. The “bring your own device” (BYOD) phenomenon makes mobile application management more important, with personal PC, smartphone and tablet use in business settings (vs. business-owned devices) significantly increasing. Mobile application management enables corporate IT staff to download required applications, control access to business data, and remove locally-cached business data from the device if it is lost, or when its owner no longer works with the company. A growing demand for mobile apps from employees is prompting organizations to broaden beyond mobile device management to managing a growing number of mobile applications.

An end-to-end MAM solution can provide the ability to control the provisioning, updating and removal of mobile applications via an enterprise app store, monitor application performance and usage, and remotely wipe data from managed applications.

Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablets, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices.

MDM functionality can include over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, mobile printers, mobile POS devices, etc. Most recently laptops and desktops have been added to the list of systems supported. MDM tools are used for both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers. Consumer demand for BYOD is now requiring a greater effort for MDM and increased security for both the devices and the enterprise to which they connect. By controlling and protecting the data and configuration settings for all mobile devices in a network, MDM can reduce support costs and business risks.

With mobile devices becoming commonplace and increased numbers of applications becoming available for mobile devices, mobile monitoring is growing in importance. Numerous vendors help mobile device manufacturers, content portals and developers test and monitor the delivery of their mobile applications. This testing is done in real-time by simulating the action of thousands of customers and detecting and correcting bugs in the applications.

Typical solutions include a server component, which sends out the management commands to the mobile devices, and a client component, which runs on the mobile device and implements the management commands.

Central remote management uses commands sent over the air to mobile device handsets. An administrator at a mobile operator, an enterprise IT data center or a handset OEM can use an administrative console to update or configure any one handset, group or groups of handsets. The Open Mobile Alliance (OMA) has specified a platform-independent device management protocol called OMA Device Management. It is supported by several mobile devices, such as PDAs and mobile phones.

Over-the-air programming (OTA) capabilities are a component of mobile network operator and enterprise-grade mobile device management software. These include the ability to remotely configure a single mobile device, an entire fleet of mobile devices or any IT-defined set of mobile devices; send software and OS updates; remotely lock and wipe a device; and do remote troubleshooting. OTA commands are sent as binary messages, which are messages including binary data.

Mobile device management software enables corporate IT departments to manage the many mobile devices used across the enterprise; consequently, over-the-air capabilities are in high demand. Enterprises using OTA as part of their MDM infrastructure demand high quality in the sending of OTA messages. Present day MDM solutions offer both Software as a Service (SaaS) and on-premises models.

One example of mobile device management software provides some degree of control and visibility for an administrator of mobile devices. IT managers ensure that mobile devices comply with their organization-specific IT policies and that the correct configuration is pushed to devices. Mobile management software can permit users to self-enroll over-the-air. In addition to automatically configuring corporate policies and controls, IT can automatically setup WiFi, VPN and Exchange ActiveSync configurations on mobile devices.

An administrator (admin) defines and deploys policies for an organization. The admin may choose from a set of policy controls over password, device encryption, camera, Wi-Fi, VPN, etc. If a device is lost, stolen, retired or replaced, the admin can wipe data from the device to reduce the chance of data loss.

The admin can control and manage various devices from a single console. MDM can support a wide array of mobile devices, operating systems and technologies including Apple iOS, Apple Watch, Android, Windows Pro, Window Phone and Samsung KNOX. Whether Bring Your Own Device (BYOD), Corporate-Owned, Personally-Enabled (COPE) devices or a combination of both are utilized, customizable policies ensure the right policies are applied to the right device.

MDM can support use cases including business users, remote workers, highly-sensitive users, shared devices, and kiosks. MDM can be deployed using a fully cloud-based deployment. MDM can be fully integrated with a Secure Mobility Platform.

As users of mobile devices desire to and are able to install applications from numerous various sources that are beyond the control of an administrator, there is an increased risk that malware or other undesirable software may be installed. One source of software available to users, that may be beyond the control of or monitoring by administrators, is peer-to-peer file sharing (e.g., using the BitTorrent protocol). In some cases, certain file sharing sources may be untrusted or even a known bad source of software loaded onto mobile devices.

In contrast to potentially untrusted or risky sources such as BitTorrent, in other cases, applications may be installed on mobile devices by users from known good sources. For example, a common source of applications installed on mobile devices using the Android system is the Google Play store.

The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate does not need to be signed by a certificate authority. Rather, it is typical for Android applications to use self-signed certificates.

Android applications that are not signed will not be installed on an emulator or a device. When a developer is ready to release an application for end-users, the developer signs it with a suitable private key. The developer can use self-signed certificates to sign the developer's applications. No certificate authority is needed.

The Android system will not install or run an application that is not signed appropriately. This applies wherever the Android system is run, whether on an actual device or on the emulator.

Mobile devices such as cell phones and personal digital assistants (PDAs) can be attacked by exploits or malware that are specifically adapted for the mobile environment. Exploits can take advantage of security vulnerabilities associated with a mobile device in order to execute malicious code or perform undesired actions on the device. Potentially, exploits can bypass permissions or policies set by the user, manufacturer, operating system, or mobile operator and give the attacker complete control of the device. Mobile malware is typically spread by downloading infected programs or files. Some malware only becomes active if the recipient chooses to accept the malware and run it on the mobile device. Other malware, when combined with exploits, are self-propagating worms that may not need user intervention in order to spread, potentially creating a very severe and widespread security problem.

Devices may be compromised by malware and exploits over wide area networks, such as the Internet or a cellular network, and local wireless networks, such as Wi-Fi or Bluetooth. For example, some devices which are equipped with Bluetooth allow other nearby Bluetooth-enabled devices to transfer files or other data such as contact information. Bluetooth-enabled devices that are infected with malware often search for nearby devices that are in “discoverable” mode. When an infected device discovers a target, it may send malware disguised as a security update or another item designed to fool the target device's user into accepting the transfer and executing the malware. If malware were to utilize an exploit instead of disguising itself in order to get a target user to accept the file transfer, a device which is in “discoverable” mode could become infected without the user being able to intervene.

In addition to being able to propagate malware, exploits may be able to directly perform malicious actions on vulnerable devices. Such exploits may be used by attackers to steal information, charge money to the target device's phone bill, or prevent a device from functioning properly. Although vulnerabilities which take advantage of exploits may be fixed if the software vendor responsible for the vulnerability provides a patch or firmware upgrade, such fixes are often costly and time consuming to release and difficult for users or IT organizations to apply.

It is desired that both individual users and IT organization be able to verify that their security protection is functioning properly and be aware of the security state of their devices so as to be able to remediate or investigate issues as early as possible. If a device or group of devices has a security problem or has recently been attacked, the user or administrator responsible may not immediately know because mobile devices and existing solutions may not continuously present security status information and attempt to push important events to users and administrators.

What is needed in some cases is a system and method for identifying, reporting, and preventing mobile security problems and for providing security information concerning the state of a mobile device or group of mobile devices to a user or administrator. The system and method should keep users or administrators continuously aware of security status, recent security-related events, and potential security threats without requiring them to repeatedly seek out security-related information.

Because of inherent security concerns, mobile communications devices such as mobile phones, PDAs, and smartphones have yet to provide the same breadth of trusted connectivity found on desktop and laptop computer platforms. For example, mobile device users are less likely to access confidential information and/or perform financial transactions with a mobile communications device because such devices are not sufficiently secure. Similarly, service providers such as banks, online payment services and providers of confidential information are less likely to offer access to their services through mobile communications devices. As a result, mobile communications device users are limited by the types and availability of many online services. This is because present methods for securing mobile communications devices do not contemplate many ways users may wish to access online services and online service providers, and are therefore inadequate for providing a secure platform for access to and from online services or service providers.

Previous methods for securing mobile communications devices focus on an all-or-nothing approach. Access to or from the mobile device is either granted or not granted based upon whether the device meets certain standards, possesses certain configurations, or adheres to certain policy rules. If the device passes these standards, access is granted. If the device is deficient in any way, access is denied. Such an approach does not consider the types or levels of access required by certain service providers, nor does this approach contemplate the security and repair capabilities of the device itself. Indeed, prior art security systems and methods ignore the recent activity of the mobile device in relation to its overall security state. Furthermore, prior art security systems are typically limited to authorizing access to a given network, making them unsuitable for controlling access and access levels to services and service providers based on a device's security state.

What is therefore needed in some cases is a system and method for providing security for mobile communications devices that considers the security state of the device and provides a platform for integrating with services and service providers.

Detecting attacks on a mobile communications device presents challenges not found on traditional computing platforms. Mobile communications devices lack the hardware, software and memory resources of a traditional computer. As such, storing vast signature databases on the mobile communications device is not feasible, and running complicated analysis systems strains the device's memory, battery, and CPU. Other security solutions have been found unsuccessful at detecting attacks specifically directed to a mobile communications device, since mobile communications devices provide functionalities not found on traditional computers. For example, a mobile communications device may be attacked via network data, files, or executables received over various network interfaces such as Bluetooth, Wi-Fi, infrared, or cellular networks.

One of the issues that make it difficult to protect mobile communications devices from undesirable applications is the many different types of data and applications that are available for such devices. While service providers are able to manage the network traffic in providing applications, there is no current way to effectively monitor the behavior of these applications after they have been installed on a user's mobile communications device. As a further result, it is difficult to identify new, previously unknown malicious applications by their behavior and to track and prevent the spread or dissemination of damaging applications and data once they have been released to the network. It would be desirable to provide a system that can actively monitor a group of mobile communications devices in order gather data about the installation and behavior of applications on mobile communications devices.

Also, the source of an access request may be difficult to determine. For example, an enterprise employee visiting London, England on vacation with a sudden, urgent business issue may use free Wi-Fi in a coffee shop to VPN from her iPhone into her enterprise computer, which she left up and running in California. The employee may use that VPN access to command the enterprise computer to access enterprise resources. Typically, the enterprise backend would not know that the enterprise computer is projecting its display and sending enterprise data all the way to London. The enterprise would also not know the security status of the Wi-Fi connection or the iPhone.

What is therefore needed in some cases is a method for determining whether to allow or deny an access request based on knowledge of the source of the access request and knowledge of the security of the computing devices and network infrastructure involved in the transmission of the access request.

SUMMARY OF THE DESCRIPTION

Systems and methods for managing permissions for computing devices are described herein. In some cases, a permission is managed based on a change of context for a computing device. In other cases, a permission is managed when the user is requested to grant permission for software on a computing device. In yet other cases, a managed permission is associated with software making a request for access by a computing device to a service (e.g., an online or network service). Various embodiments are described below.

In one embodiment, a method includes: determining, by a first computing device, a change of context for a second computing device from a first context to a second context; in response to determining the change of context to the second context, revoking a permission for software on the second computing device; determining, by the first computing device, a change of context for the second computing device from the second context to a different context; and in response to determining the change of context to the different context, restoring the permission for the software.

In one embodiment, a method includes: determining a behavior associated with software; determining that a user device has requested a user grant a permission for the software, wherein the permission corresponds to the behavior; and in response to determining that the user device has requested the user grant the permission, sending a communication to the user device, the communication including at least one of: data regarding the behavior, data from an administrator device regarding the permission, or data associated with a decision delegation by the user device regarding permissions.

In one embodiment, a method includes: receiving a request regarding access by a first computing device (e.g., a mobile device of a user) to a service; in response to the request, performing, by a second computing device (e.g., an evaluation server, or a server of an identity provider), an evaluation of the first computing device; and performing, by the second computing device, an action (e.g., authorizing access to the service) based on the evaluation. For example, the request for access may be made by software executing on a mobile device. For example, the request for access may be associated with one or more permissions that have been granted for the software, and/or associated with one or more requests for permission being made to a user of the mobile device.

In one embodiment, a method includes: receiving a request regarding access by a first computing device to a service; in response to the request, performing, by a second computing device, an evaluation of a configuration of the first computing device, wherein the evaluation comprises determining a risk level; and performing, by the second computing device, an action based on the evaluation, wherein the action comprises sending a communication to a computing device of an identity provider, the communication indicating the risk level. In one embodiment, the service is provided by a service provider, and the identity provider is of record with the second computing device and/or the service provider as the identity provider to use for requests for access to the service. In one embodiment, the identity provider determines whether to authorize access (and/or to what extent to permit such access) to the service by the first computing device based on the risk level in the received communication.

The disclosure includes various methods and devices which perform the above methods and systems, including data processing systems which perform these methods, and computer readable media containing instructions which when executed on data processing systems cause the systems to perform these methods.

Other features will be apparent from the accompanying drawings and from the detailed description which follows.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings in which like references indicate similar elements.

FIG. 1 shows a system for performing a security evaluation by an evaluation server 150 in response to a request for access to a service provided by a service provider, according to one embodiment.

FIG. 2 shows an application marketplace offering multiple applications for remote installation on mobile devices, according to one embodiment.

FIG. 3 shows the system of FIG. 1 further illustrating an administrator server that communicates with the evaluation server 150, according to various embodiments.

FIG. 4 shows the system of FIG. 3 further illustrating state designations stored at the evaluation server and the administrator server, according to various embodiments. In one embodiment, a state designation is received from one of a plurality of computing devices in a series of devices that transmit an access request. The state designation is used by the receiving computing device to set a state as described below. A state determined using a received state designation may be used in the security evaluation performed, for example, by the evaluation server. In one embodiment, an action performed by the evaluation server based on a security evaluation includes sending a state designation to mobile device 149.

FIG. 5 shows a system for security protection, in which an evaluation server communicates with an authenticity server regarding an application accessing a service, according to one embodiment. The application may initiate or originate the access request that is sent to the evaluation server.

FIG. 6 shows a display of a mobile device of a user, in which the display presents an icon to the user for an application store, according to one embodiment.

FIG. 7 shows the display of the mobile device of FIG. 6, on which a notification is presented to the user for approving installation of a software client on the mobile device, according to one embodiment.

FIG. 8 shows the display of the mobile device of FIG. 6, on which a notification is provided to query a user whether to trust an application from a software developer, according to one embodiment.

FIG. 9 shows the display of the mobile device of FIG. 6, on which a notification is provided from an evaluation server or an administrator server indicating that an application being installed may be from an untrusted source, according to one embodiment.

FIG. 10 shows a user console (indicated as “side-load server console”) of an evaluation server in communication via an application programming interface with a user console of an administrator server, according to one embodiment.

FIG. 11 shows a block diagram of a computing device (e.g., an evaluation server, an administrator server, or an authenticity server) which can be used in various embodiments.

FIG. 12 shows a block diagram of a computing device (e.g., a mobile device of a user or a user terminal), according to one embodiment.

FIG. 13 shows a computing system for evaluating software (e.g., software that has requested a user permission) and implementing a quarantine of the software based on a new security threat, according to one embodiment.

FIG. 14 shows a computing system for managing permissions associated with one or more computing devices, according to one embodiment.

FIG. 15 shows a method for managing a permission for software based on a change of context for a computing device, according to one embodiment.

FIG. 16 shows a method for managing a permission for software associated with a request for a user to grant the permission, according to one embodiment.

DETAILED DESCRIPTION

The following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding. However, in certain instances, well known or conventional details are not described in order to avoid obscuring the description. References to one or an embodiment in the present disclosure are not necessarily references to the same embodiment; and, such references mean at least one.

Reference in this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.

At least some embodiments below relate to methods for managing permissions for computing devices. In one example, a permission is managed based on a change of context for a computing device. In another example, a permission is managed when a user is requested to grant a permission for software on the user's computing device.

For example, a permission may have been previously granted for software (e.g., application 1013 of FIG. 1) on a mobile device (e.g., mobile device 149). The permission may have been granted by the user when using the mobile device at home. However, when the user brings the mobile device to work, and attempts to connect to a network of employer, the context for the mobile device has changed. In response to determining this change of context from a home context to a work context, the permission for the software is revoked. For example, an employer of the user may prohibit certain functions to be performed by, or access granted to, the user's mobile device when connected to a network controlled by the employer.

At a later time, the context of the user's mobile device may again change. For example, the user may return home, or the user may leave work and go to another location other than home. A computing device (e.g., evaluation server 150) may determine that the context of the mobile device has changed from the work context to a different context. In response to determining this change, the permission for the software is restored.

In another example, the user device has requested a user grant permission for software (e.g., application 1013 of mobile device 149 in FIG. 1). Prior to this request, evaluation server 150 has determined a behavior associated with the software. For example, this behavior may have been determined based on prior analysis or other evaluation of the software by evaluation server 150. In response to determining that the user device has requested the user grant this permission, various actions can be performed by evaluation server 150.

In one example, evaluation server 150 causes the sending of a communication to the user device. The communication can include various information. For example, the communication can include data regarding the behavior itself, data from an administrator device regarding the permission, and/or data associated with a decision delegation by the user device. In one example, the decision delegation provides assistance to the user in managing the request for permission.

Various further embodiments regarding managing permissions for computing devices are described below in the section titled “Permissions Policy Manager”.

In one embodiment, evaluation server 150 may perform an analysis of software and determine that the software is malicious or otherwise presents a security risk. For example, the analysis can be performed in response to a request for permission by the software. In light of this determination of a security risk, evaluation server 150 may send a message to the user mobile device that changes or blocks certain functions or operations of the software; the sending may be direct, or via a push service, or via an MDM server. In some cases, installation or launching of software can be blocked. In other cases, one or more permissions for software can be denied or changed. In other cases, data regarding the permission and/or the software can be requested from an administrator device.

In one embodiment, an evaluation server analyzes the software by comparison to a threshold. The threshold used for comparison and/or other evaluation by the evaluation server (e.g., evaluation server 150) can be dynamically updated based on feedback and/or other data provided by a user of a computing device (e.g., mobile device 149). Alternatively, or additionally, the threshold can be based on any other data associated with the user and/or the user's organization (e.g., user's role, risk level, etc.). In one example, the data is provided to the evaluation server by MDM software of an administrator server (e.g., admin server 1310 of FIG. 13 below), and is used by the evaluation server to adjust the threshold (e.g., the threshold of a user having a device managed by MDM software 1311 of FIG. 13 below). In one example, the MDM software provides data regarding permissions that are permitted by an organization that manages the computing device of the user. In one example, the MDM software can provide data as real-time context data is received from a managed mobile device, or otherwise determined about the device by the MDM software.

Evaluation server 150 also may perform other remediation actions in response to determining a security threat (e.g., associated with managing permissions in light of a change of context for a computing device). For example, in response to the above new analysis performed for the second user mobile device, the evaluation server 150 can send a message or take other action to quarantine software. In some cases, prior to quarantining software, the evaluation server 150 will perform an analysis of the software in the context of the computing device (e.g., using context data regarding a current configuration of the computing device). In one example, the quarantine can block launching or execution of the software on the user mobile device. In another example, the quarantine can block network traffic to or from the first user mobile device that is associated with the software.

Other embodiments are now described below that relate to evaluation of device risk performed in response to a request for access to a service (e.g., the request for access may be made by software that is seeking a permission, or that has been granted a permission at an earlier time). The evaluation may be performed, for example, by the evaluation server 150 above. In some embodiments, software associated with the request for access (e.g., software installed on a user's mobile device that is initiating the request for access) is evaluated by server 150 as being malicious. In such cases, server 150 can, for example, initiate a quarantine of the software as described for FIG. 13 below.

In one embodiment regarding access to a service, a method includes: receiving a request regarding access by a first computing device (e.g., mobile device 149 of FIG. 1) to a service; in response to the request, performing, by a second computing device (e.g., evaluation server 150 of FIG. 1), an evaluation of a configuration of the first computing device; and performing, by the second computing device, an action based on the evaluation.

In one embodiment, the service is provided by a third computing device (e.g., service provider 170 of FIG. 1), and the request is received from the first computing device or from the third computing device. In one embodiment, the request is received from a computing device of an identity provider 172 in FIG. 1.

In one embodiment, the evaluation determines that the configuration is not secure, and the action is blocking access by the first computing device to the service.

In one embodiment, the service is provided by a third computing device, the method further comprises receiving first data from the first computing device that is used in the evaluation, and the action is sending the first data to the third computing device.

In one embodiment, the first data is received from a software component installed on the first computing device, and the software component obtains the first data from the first computing device. In one embodiment, the second computing device receives aggregated information. The evaluation is performed using at least the aggregated information.

In one embodiment, the action is sending a communication to a third computing device that grants access to the service by the first computing device, wherein software is installed on the first computing device, and wherein the evaluation comprises at least one of determining a source of the software, evaluating authenticity of the software, or analyzing at least one component of the software.

In one embodiment, the evaluation determines an extent of security risk for the configuration of the first computing device, and wherein an extent of access to the service provided to the first computing device is based on the determined extent of security risk. For example, a security component (e.g., security component 1412), as is described below, may allow access to the service in a limited fashion (e.g., run with output quarantined).

In one embodiment, the evaluation determines that the configuration passes a security threshold, and the action is sending a communication to a third computing device regarding the passed security threshold.

In one embodiment, a third computing device provides the service, and the method further comprises: generating a token for the first computing device, the token comprising first data encoding a risk level determined from the evaluation; and providing the token to the first computing device, wherein the first data is used by the third computing device to configure the service provided to the first computing device.

In one embodiment, the third computing device is configured to determine, using the first data, a risk state associated with providing service to the first computing device.

In one embodiment, the service is provided by a third computing device, and the method further comprises: extracting first data from a communication received from the first computing device or the third computing device, wherein the communication includes the request, or the communication is received subsequent to receiving the request; and performing the evaluation using the first data.

In one embodiment, the request regarding access to the service is generated by an application executing on the first computing device; performing the evaluation comprises determining an authenticity of the application; and performing the evaluation further comprises assessing a context of a user of the first computing device, the context comprising at least one of: a location of the first computing device, a device location for a prior login made to the service by the user, an event associated with a presence of the user on a computing device other than the first computing device, or credentials associated with the user that have become unsecure.

In one embodiment, the first computing device is associated with a domain, the method further comprises receiving a communication from a third computing device associated with the domain, and the evaluation comprises using data from the communication to evaluate the configuration of the first computing device.

In one embodiment, access to the service requires that a software component is installed on the first computing device, and the method further comprises: in response to determining that the software component is not installed on the first computing device, sending a communication to the first computing device requesting installation of the software component; after sending the communication, determining that the software component is installed on the first computing device; and in response to determining that the software component is installed on the first computing device, sending a communication to cause a third computing device to grant the access to the service.

In one embodiment, a non-transitory computer-readable storage medium stores computer-readable instructions, which when executed, cause a first computing device to: receive a request regarding access by a second computing device to a service; in response to the request, perform an evaluation of the second computing device; and perform, by at least one processor, an action based on the evaluation.

In one embodiment, the instructions further cause the first computing device to receive security data from a software component installed on the second computing device, wherein the evaluation is performed using the security data to determine a security state of the second computing device, and wherein the action is authorizing access to the service by the second computing device at an access level dependent on the determined security state.

In one embodiment, a system includes: at least one processor of a first computing device; and memory storing instructions configured to instruct the at least one processor to: receive a request regarding access by a second computing device to a service; in response to the request, perform an evaluation of the second computing device; and perform an action based on the evaluation.

In one embodiment, a third computing device provides the service, and the first computing device is recorded by the third computing device as an identity provider for requests to access the service.

In one embodiment, a fourth computing device is an identity provider (e.g., identity provider 172 of FIG. 1), and the action is sending a communication from the first computing device to the fourth computing device that authorizes access to the service by the second computing device.

In one embodiment, the instructions are further configured to instruct the at least one processor to receive security state information regarding a state of the second computing device, wherein the evaluation is performed using the security state information to determine a security state of the second computing device, wherein the action is authorizing access to the service by the second computing device at an access level depending on the determined security state, and wherein the security state information comprises at least one of a device identifier, a configuration, a setting, information on a security event, or a device state.

In one embodiment, a method determines an enterprise risk level, for sharing security risk information between enterprises by identifying a security response by a first enterprise and then sharing the security response to a second enterprise when a relationship database profile for the first collection indicates the security response may be shared. Another method determines whether to allow a request from an originating device where the request may have been initiated by a remote device. In one embodiment, the security risk information is used in the security evaluation performed (e.g., by the evaluation server 150 of FIG. 1 above or by another computing device) in response to the access request above. In one embodiment, data obtained from a mobile communications device is evaluated by the evaluation server 150 of FIG. 1 above to determine if granting the device access to a service presents a security threat.

In one embodiment, aggregated information is used in the security evaluation above. In one embodiment, a method is provided for passing aggregated information, such as source information, along with an access request. In the embodiment, aggregated information may be used to determine whether to allow an attempt to access a resource. The aggregated information may include, for example, user authentication information and source information, and source information may include, for example, information about the state of the initiating and originating computing devices, attributes or identifies of applications being used in the access attempt, and similar information from any intermediate (“intervening” or “chained”) application or computing device that is part of the access attempt.

The aggregated information may be passed with the access request in a number of ways, including, for example: as SAML security assertion extensions, as additional HTTP headers, or via a separate flow. In a further example, a single sign-on (SSO) provider (or Identity Services Provider, such as for example identity provider 172 of FIG. 1 above) may piggyback the aggregated information onto an access request (or responses), and security components on computing devices in the access request chain may add their contributions to the aggregated information in the SSO information flow.

In one embodiment, responses to an access request other than or in addition to “allow” and “deny” are allowed. For example, if the access request related to running an application on the destination computing device and the associated source information indicted that a computing device in the series was untrusted, a security component may allow the request in a limited fashion (e.g., run with output quarantined), or deny the request and initiate or suggest to the user the uninstallation of the target application.

In one embodiment, a source of a software component on one or more of the series of computing devices by which an access request is transmitted may be determined as described below in the section titled “Side-Load Protection”. In one embodiment, these software components may further be analyzed as described below in the section titled “Analyzing Components of an Application”, or as otherwise described below.

In one embodiment, a secure platform enables mobile devices, such as a cell phones, smartphones, or PDAs, to have relationships with services or service providers that are controlled by the state of security on each device. In one example, the platform is comprised of a server that receives data from security software on a mobile device regarding the device's security state. The platform enables access to a service to be granted, denied, or limited based on the security state of the mobile device. The platform may provide two-way communications between a mobile device and a service so that the platform can enforce access security both from the client to the service and from the service to the client. Furthermore, the platform allows services or service providers to evaluate the security state of a device independently of using the platform to communicate with the device.

In one embodiment, a system provides, by a software component on a computing device (e.g., for components on any one or more devices in a series of devices transmitting an access request, as discussed above), a dynamic assessment of a security state of a computing device (e.g., this assessment may be performed by the evaluation server 150 of FIG. 1 above). Here, the user of a mobile communications device may request access to a service provider. This may be where the user attempts to access a banking service or other network based service using software installed on a handset. This request may be managed by a server, which receives the request from the computing device. The server may access a database or other memory to determine whether it has updated security state information for the device. If not, then, this security state information is obtained from the device. Once obtained, the security state for the device may be assessed. If the security state is acceptable, then the device may have access to the service provider. If the device security state is unacceptable, then access may be limited or denied. The acceptability of a device's security state and the level of access to the mobile communications device may be set, for example, by the service provider.

In one embodiment a system and method for reporting security information relating to a mobile device is used. In one embodiment, the security evaluation performed above (e.g., by the evaluation server 150 of FIG. 1 above) is a security assessment. This security assessment is displayed in various formats on the mobile device display or on a client computer. A security component identifies security events on the mobile device that are processed on the mobile device or by a server. The security component then determines a security assessment for the mobile device based upon the detected security events. The security assessment display may be persistent in the form of a desktop widget or dashboard on a client computer, or home-screen item on the mobile device. This allows a user or administrator to verify that security protection on the device is functioning and to be alerted if the device needs attention without having to specifically seek the information, thereby enabling immediate response to potential security problems.

In one embodiment, a method evaluates security during an interactive service operation by a mobile communications device and includes launching, by a mobile communications device, an interactive service configured to access a server over a network during an interactive service operation, and generating a security evaluation based on a plurality of trust factors related to a current state of the mobile communications device, to a security feature of the application, and/or to a security feature of the network. When the security evaluation is generated, an action is performed based on the security evaluation. In one embodiment, the evaluation server 150 above performs an evaluation, including use of a threshold. In one embodiment, the plurality of trust factors are included in the first data above received by the evaluation server 150 for use in the evaluation.

FIG. 1 shows a system for performing a security evaluation by an evaluation server 150 in response to a request for access to a service provided by a service provider 170, according to one embodiment. In FIG. 1, the user terminals (e.g., 141, 143, . . . , 145) and/or mobile devices (e.g., 147, 149) are used to access and/or communicate with evaluation server 150, service provider 170, identity provider 172, application marketplace 123 (e.g., an Android or Google Play store or marketplace, or an enterprise application store), and/or a developer server (not shown) over a communication network 121 (e.g., the Internet, a wide area network, a local network, or other wired or wireless communications network).

Network 121 may be used to download and remotely install applications selected from marketplace 123 (e.g., using Google Play or the Android Market). Marketplace 123 may include one or more web servers (or other types of data communication servers) to communicate with the user terminals (e.g., 141, 143, . . . , 145) and mobile devices 147, 149. Each of these applications may initiate or originate an access request for a service provided by service provider 170.

Specifically, mobile device 149 may download a new application 1013 from application marketplace 123 or a developer server 160. In one embodiment, an application obtained from the developer server 160 is signed using a signing certificate 162. In one embodiment, the application obtained from the application marketplace 123 is signed using a signing certificate (e.g., using the same signing certificate used by the developer server 160).

New application 1013 has components 104 and 106. Application 1013 may generate an access request that is transmitted to evaluation server 150 (e.g., transmitted using a series of computing devices originating with mobile device 149). In one embodiment, component 104 is a software component (e.g., a security component) that generates or obtains data regarding a risk configuration of a computing device (e.g., a risk configuration of mobile device 149, on which a user initiates a request for access). For example, a user action in a user interface displayed on mobile device 149 causes component 104 to initiate an access request for a service provided by a computing device of service provider 170. The access request is transmitted to evaluation server 150, which performs a security evaluation of a configuration of mobile device 149 based on various factors, as discussed below in more detail.

If evaluation server 150 authorizes the access, server 150 sends a communication over network 121 to service provider 170 regarding authorizing access to the service. In an alternative embodiment, evaluation server 150 sends this communication to identity provider 172, which then performs additional authentication or identification services. In one embodiment, server 150 determines a risk level for mobile device 149 and includes this risk level in the communication to service provider 170 and/or identity provider 172.

In one embodiment, when component 104 makes a request for access to the service, the request is first sent to service provider 170. Then, service provider 170 forwards the access request to evaluation server 150. Evaluation server 150 performs a security evaluation of risk factors associated with mobile device 149. If the evaluation determines that the configuration is not secure, server 150 blocks access by mobile device 149 to the service.

In one embodiment, the security evaluation is based on data received from the mobile device 149. At least a portion of this data can be sent to service provider 170 and/or identity provider 172 along with a result of the security evaluation. In one embodiment, this data is received from component 104, or from another software component such as component 106 that is on mobile device 149. The data sent to evaluation server 150 is obtained from the mobile device using this software component.

In one embodiment, the security evaluation by server 150 includes determining a source of application 1013, component 104, and/or component 106. In one embodiment, the security evaluation includes evaluating authenticity of software on mobile device 149 and/or analyzing at least one component installed or otherwise stored on mobile device 149.

In one embodiment, the security evaluation determines an extent of security risk for mobile device 149 based on a plurality of factors. The extent of access to the service provided to mobile device 149 is based on this extent of security risk.

In one embodiment, the security evaluation determines that a risk configuration of mobile device 149 passes a security threshold. If the threshold is passed, server 150 sends a communication to service provider 170 and/or identity provider 172 regarding the passed security threshold. This communication may include data obtained from mobile device 149 and used in the security evaluation above.

In one embodiment, a token is generated for mobile device 149. This token includes data that encodes a risk level determined from the security evaluation. The token is provided to mobile device 149 by evaluation server 150 or another computing device such as service provider 170. The risk level and/or data obtained and used in the security evaluation is provided to service provider 170 to configure the service provided to mobile device 149. In one embodiment, service provider 170 uses the risk level and/or data from the security evaluation to determine a risk state associated with providing the service to mobile device 149.

The service may be dynamically reconfigured periodically and/or in real-time as subsequent security evaluations are performed for mobile device 149. Also, if the risk state fails a threshold determination, then the user of mobile device 149 may be alerted by a display or other communication on mobile device 149 that the service is blocked. In addition, the user may be requested to take remedial action using mobile device 149 and/or another computing device of the user.

In one embodiment, if it is determined by evaluation server 150 in a security evaluation, performed after a user has started receiving a service, that a risk level associated with mobile device 149 exceeds a threshold or is otherwise un-trusted, then an open session of the user with the service from service provider 170 can be closed. Also, any token of device 149 indicating a healthy or safe configuration of the device can be revoked or destroyed. This prevents further access to the service by the device. In one embodiment, if access to a service is terminated as just described, identity provider 172 can be notified of the change by evaluation server 150. Also, a level of access to the service can be decreased based on the newly-determined risk level, instead of terminating all access to the service.

In one embodiment, if it is determined by evaluation server 150 that mobile device 149 is not configured correctly or adequately as determined by a risk level, various actions may be taken. For example, mobile device 149 may be instructed to take a photo that is uploaded to server 150, acquire a device location and upload to server 150, and/or erase sensitive data on mobile device 149. Other examples include disabling login credentials, instructing the user how to remediate the problem, allowing login by the user, but denying access to certain services, revoking a token already in use by the device, and/or changing a password for the service.

In one embodiment, data used in the security evaluation by evaluation server 150 is extracted from one or more communications received from mobile device 149, from service provider 170, and/or identity provider 172. In some cases, such communication can be the communication that includes the access request. In other cases, the communication is received prior to or subsequent to receiving the access request.

In one embodiment, the access request is generated by application 1013, which is executing on mobile device 149. Performing the security evaluation includes determining the authenticity of application 1013, for example as discussed below.

In one embodiment, the security evaluation can include assessing a context of a user of mobile device 149. This context can be determined by various factors including a location of mobile device 149, a device location for at least one prior login made by the user (e.g., a prior login to the service), an event associated with the presence of the user on a computing device other than mobile device 149 (e.g., this other device may be a tablet, a laptop, or a watch device of the user), or credentials associated with the user that have become unsecure (e.g., credentials that have been identified from monitoring of the dark web).

In one embodiment, mobile device 149 is associated with a domain. Evaluation server 150 performs an evaluation using data from one or more prior communications received by evaluation server 150. These prior communications may be provided from other computing devices associated with the domain.

In one embodiment, access to the service from service provider 170 requires that a software component is installed on mobile device 149. In response to determining that the software component is not installed, the communication is sent to the mobile device requesting installation of the software component. After sending this communication, evaluation server 150 determines whether the software component is properly installed on mobile device 149. If so, server 150 sends a communication to cause service provider 170 or identity provider 172 to authorize or grant access to the service.

In various embodiments, access to a service provided by service provider 170 is conditioned on a successful evaluation of various risk-based factors. Mechanisms that may be used to authenticate a device, user, and/or application by evaluation server 150 include one or more of the following: requiring that an TLS client certificate be supplied for each access request by mobile device 149, evaluating authentication factors provided from network connection establishment (e.g., Wi-Fi, VPN, cellular, etc.) by mobile device 149, or evaluating authentication factors provided from establishment of a network tunnel or proxy connection for mobile device 149.

In various embodiments, factors used in a security evaluation by evaluation server 150 to allow or deny access to a service are now described below:

1. Various device factors associated with mobile device 149 include determining whether the device is compromised, such as whether an operating system is compromised, whether the device is up-to-date, such as whether a vulnerable operating system version is in use. Further factors include determining a presence of malware, or determining whether the device has a secure configuration. For example, determining whether a bad TLS root identified for certificate authorities is installed on the device, an anomalous VP N/proxy is identified, whether device encryption enabled, and/or whether a pin code is enabled. Further factors include evaluating hardware-backed authentication associated with mobile device 149. For example, determining whether a device key is stored in a secure enclave, or whether a server provides a nonce which mobile device 149 signs with hardware to prove presence of hardware-stored key.

2. Various user factors may be used in the security evaluation. These factors may include biometric factors such as a fingerprint, or knowledge-based factors such as whether a user of mobile device 149 is able to answer knowledge-based questions (e.g., about the user's background or prior life or work activities).

3. Various application factors may be used in the security evaluation. These factors may include determining whether application 1013 on mobile device 149 is an authorized or allowed version of the application. For example, whether the application is the official enterprise application or an unofficial version. Also, these factors include determining whether the application is up-to-date, such as whether there is a known vulnerability in this particular application.

4. Various context factors may be used in the security evaluation. These factors may include determining a location of device 149, other recent user logins and respective devices/locations associated with these logins, and/or other user-present events (e.g., a badge in, CCTV facial recognition, Wi-Fi connections, and Bluetooth beacon detections).

In various embodiments, various mechanisms are used to authorize access to the service by service provider 170, as now described below:

1. At authentication time, one or more the following mechanisms may be used:

-   -   a SAML proxy when the user is logging into a service using         mobile device 149 (e.g., evaluation server 150 is the SAML         identity provider of record, that proxies to a secondary         identity provider if and only if risk factors are evaluated and         pass a threshold).     -   an MFA (multi-factor authentication) challenge performed by         identity provider 172 (e.g., identity provider 172 requires an         MFA challenge from evaluation server 150, which is successfully         complete if and only if risk factors are evaluated by server 150         as being OK). As another example, integration occurs by API         integration or in a rotating-code MFA system by an on-device         client requiring information from the server in order to access         its random seed).     -   As a risk check performed by identity provider 172 (e.g.,         identity provider 172 communicates with evaluation server 150         using an API at time of authentication).     -   As a pre-set state known to identity provider 172 (e.g.,         evaluation server 150 pre-sets a device/user/application risk         state in identity provider 172, then evaluation server 150         changes this risk in real-time as results from subsequent         security evaluations change).     -   TLS client certificates whose validity changes dynamically by         evaluation server 150 operating dynamic OCSP or CRL services.

2. At network connection time (e.g. VPN, Wi-Fi, cellular, or other network), various mechanisms are used to determine which of network segments associated with the network connection should be authorized, as follows:

-   -   Network verifies a risk state as part of connection         establishment by an on-device client (e.g., component 104)         providing information to a network authentication service.     -   Mobile device 149 provides a service that the network can query         (e.g., an HTTP server running on the device).     -   The network can consult a third-party risk service to retrieve         the latest risk information about mobile device 149.

3. The following mechanisms can be used for each access request or interaction by mobile device 149:

-   -   An identity-aware proxy that validates a risk level associated         with mobile device 149 on a per-request basis. The service is         configured only to allow requests from the identity-aware proxy         (e.g., via only accepting requests from a particular IP address,         or via request augmentation such as signed headers or tokens).

4. Out-of-band authentication:

-   -   A service authenticates a device, application, user, etc., and         requests a risk status of any/all of the foregoing from         evaluation server 150.

Variations of Security Evaluation

Various additional embodiments of performing a security evaluation in response to an access request are now described below. The embodiments below do not limit the generality of the foregoing discussion.

In one embodiment, upon the user of a device or the device directly requesting the use of a service, the evaluation server determines whether a certain client application is present on the device. If the client application is not present and/or activated, then the evaluation server requires the delivery, installation and/or activation of the client application on the device before access to the service is granted.

If it is determined that the certain client application is present and activated, then the client application checks to see if the device is configured sufficiently well. In one embodiment, the device is sufficiently configured for service access if an evaluation of factors by the evaluation server passes a threshold.

In one embodiment, if it is determined that the certain client application is installed on mobile device 149, evaluation server 150 attempts to uniquely identify mobile device 149 based on information that the evaluation server 150 has previously stored and/or information received as part of authenticating mobile device 149. For example, the received information includes information regarding the type of device, the operating system the device is running, an IP address provided by the device, etc. In one embodiment, the foregoing information regarding the device is cross-referenced with a data set stored for a given enterprise. Based on this cross-referencing, evaluation server 150 can send a push notification to the device (e.g., a Google cloud message for an Android device).

In one embodiment, evaluation server 150 stores (e.g., in one or more databases accessible by server 150) a plurality of snapshots of the security configuration of mobile device 149 and other computing devices that have requested access to service provider 170. Each of these snapshots comprises data for a particular device as used in prior security evaluations. These stored snapshots can be used in performing a new security evaluation.

In one embodiment, for latency reasons, evaluation server 150 determines the time that the device last checked in with server 150 and was in a secure state (e.g., determined to be an acceptable or low-risk device). If the device was determined secure at this last check-in, evaluation server 150 determines that there is no need to wake up or otherwise interact with that device in real-time for a new security evaluation. Instead, evaluation server 150 authorizes access to the service in reliance on the prior snapshot, or prior risk state determination that falls within a predetermined time period.

In one embodiment, if evaluation server 150 determines that the client application is not installed on mobile device 149, evaluation server 150 creates a fingerprint of mobile device 149. This fingerprint comprises all information previously collected and/or newly-obtained about device 149. For example, some of this information is extracted from the communications with mobile device 149 as part of an authentication or identity communication flow.

Also, for example, this extracted information includes who the user is, what type of device is being used by the user, data extracted from the one or more HTTP or other headers of communications from the device (e.g., these headers may data regarding what service application the device is attempting to access), what operating system version the device is using, the IP address of the device, etc.

Evaluation server 150 checks to determine if this device fingerprint matches other data for fingerprints of any other devices that have interacted with evaluation server 150. In one case, these devices are other devices of the user of mobile device 149. In some cases, if the client application is not installed on the device, evaluation server 150 sends a communication causing mobile device 149 to request that the user install the client application.

In one embodiment, evaluation server 150 collects data from the device and sends the data to a cloud back-end server system accessible to server 150 in order to compare the collected data to other data that evaluation server 150 has collected. Types of data collected include, for example, an application inventory of all apps installed on the device, version numbers for the apps, and what are the hashes and unique identifiers associated with those applications. Evaluation server 150 fingerprints the filesystem of the device (e.g., firmware, etc.) and calculates a fingerprint for the device so evaluation server 150 can determine when a device is running modified firmware or other (improperly) modified software.

In one embodiment, evaluation server 150 collects information regarding how the network is behaving (e.g., the network communication path between evaluation server 150 and mobile device 149, or communications by mobile device 149 with other computing devices). For example, evaluation server 150 runs a series of behavioral tests on each network to which mobile device 149 connects (e.g., whether the device is sending potentially hack-able communications to random or unknown servers; whether there been any attempt to downgrade the TLS or other secure version of protocol being used for communication; and/or whether the certificates that the device is receiving from these requests are valid, etc.).

In one embodiment, at least a portion of data associated with the security evaluation by evaluation server 150 is sent to service provider 170. The service provider can configure a policy regarding the type of data that is sent by evaluation server 150 (e.g., using a console provided to the service provider by evaluation server 150). Use of this policy can group the device based on the evaluated data into a risk class (e.g., high-risk or low-risk). Evaluation server 150 only communicates to service provider 170 the class of risk based on the previously-determined or configured policy (e.g., using the console) of the service provider.

In one embodiment, data collected by evaluation server 150 is fed into an identity access engine on identity provider 172. This fed data can be correlated with or joined with other data sets stored by identity provider 172.

In one embodiment, evaluation server 150 monitors numerous computing devices (e.g., 10,000 or more devices that are monitoring and/or managed as to policies 116). For example, when an enterprise is attacked, typically it is more than just one individual device that is attacked. Evaluation server 150 monitors for the rise or occurrence of certain types of events that are detected across one or more of these devices associated with a given enterprise. The level of risk determined by evaluation server 150 in the security evaluation may be correlated with the number of devices that are affected by an event. In one embodiment, such monitored information is fed into a security information event management (SIEM) system. This is where data from evaluation server 150 can also be fed. The SIEM system can also be used to detect the above correlation to the above prior risk events, snapshots, or fingerprints.

In one embodiment, various configuration settings of the device can be checked as part of the security evaluation by the evaluation server, as follows:

A. For Android devices: Is a developer mode enabled or disabled? Is USB debugging enabled or disabled? Is “Nearby Devices” sharing on or off? (this can include a list of content to share, or a list of allowed or denied devices). Is the lock screen disabled, or if it is enabled, is the setting for making passwords visible on or off, is a PIN or a pattern or a password used, what is the secured lock time, is “Smart Lock” off or on, for on-body detection, for trusted places, for trusted devices, or unlocking for a trusted voice? Are there any other “trust agents” installed (e.g., like Google Smart Lock)? Are these apps configured with access to usage data? Are there CA certificates in the Trusted Credentials store that are anomalous (e.g., not ordinarily there), or whose presence violates enterprise policy? Is the device configured to allow or disallow security policy updates? Is there a SIM card lock or not on the device? Is there a factory data reset password or not? Is encryption for the device enabled or disabled? If there is an external SD card, is it configured to be encrypted or not? Is the installation of applications from unknown sources allowed or disallowed? Are there any apps configured to be device administrators? Are any of the apps disallowed by enterprise policy to be a device administrator? Are there any anomalous apps set as default applications, or apps disallowed by enterprise policy? Are there any accessibility apps enabled on the device? Is the verify apps setting enabled or disabled? Are there any installed keyboards?

B. For iOS devices: Is the lock screen disabled or enabled? Is the device configured to ask to join networks or not? Is Bluetooth on or off? Are there devices configured to be allowed to Bluetooth connect? Is a personal hotspot configured on or off? Is Wi-Fi assist configured on or off? Which apps have notifications configured to show on lock screen? Is Handoff configured on or off? Is Car Play configured off or on; if on, for what list of cars? Are there any installed keyboards? Are there any VPN configurations?

In one embodiment, for any of the above configuration settings, an enterprise policy that applies to the device (e.g., such as stored on administrative server 302) may determine the associated risk levels for each configuration or setting item. In one embodiment, this may be the determining of a risk result that is higher or lower than a threshold. This determination may be used to allow greater or fewer degrees of freedom regarding access to the service.

For any of the above configuration settings, where there is an enterprise or default policy that determines the associated risk levels for each configuration or setting item, the administrator may specify a combination method for the individual risk levels, for example, the maximum (riskiest) level, or an additive risk level (e.g., adding risk levels to create a total risk level), etc. The result may be compared with a threshold which is configured, or may be compared with a threshold percentile level for a comparable group of users or devices, for example this device's risk level is higher than a predetermined percentage (e.g., 75%) of all peer group users.

Alternatively, the comparison may be made with a comparable group of users or devices at large (in the world or other defined group of users or devices) vs. just users or devices within a particular enterprise. The peer group may be based on a user's role within an organization, the threshold may be based on the user's role within an organization, the threshold may be based on an inherent risk sensitivity associated with a user role, or the threshold may be based on the current set of data and/or services and/or apps which reside upon the device.

In one embodiment, if the device is determined to be configured correctly, or passes a threshold of configuration correctness (even though not fully correctly configured), the client application on the device informs the service provider that the device is correctly configured. In an alternative embodiment, the client application informs the service provider that the device is configured above a threshold, but not fully configured. The service provider permits the device to access the service (in a variation, the service provider permits the device to access some portion of the service but not the complete service (e.g., a user can check a balance on an account, but cannot transfer money)).

In one embodiment, in the above discussion, the service provider may itself also be an identity provider (e.g., a single sign-on (SSO) provider, or a provider of a service/function such as Active Directory or similar).

In one embodiment, all of the functions above are provided, but instead of using a separate client application on the device, the attestation functionality is provided via an SDK that controls the active application in the device directly. In other words, a software component is a part of the active application on the device that makes the request for access to the service.

In one embodiment, the dark web may be monitored to determine if user credentials have been leaked to the dark web. Upon detection of user credentials in the dark web, a notification is provided to an administrator console that user accounts have been identified as appearing on the dark web.

In one embodiment, the evaluation server collects data sets of leaked credentials from the dark web. This data may include e-mails, e-mails and passwords, or e-mails and passwords and the service they are associated with. If there are strong or weak matches against the totality of all legitimate identities that the evaluation server is aware of (e.g., that belong to users or customers of an enterprise or other service), then this information is fed into an identity system of identity provider so that appropriate actions can be taken.

For example, if an e-mail is dumped onto the dark web, even though there is not a password found, a user's security may be compromised (e.g., the password may be stolen even though not found by the evaluation server). In this case, as a precaution, the user is asked to reset her password. Alternatively, multi-factor authentication can be required the next time a login is attempted by this user on a service. Alternatively, all authorization tokens that have been issued for this user can be revoked.

In one embodiment, the evaluation server or another computing device stores hashes of passwords in a database. In case of a leak of a password to the dark web, the evaluation server compares a hash of the leaked password to these stored hashes.

In one embodiment, the administrator may trigger remediation. For example, the administrator may force a change of passwords, or force closing of any session which may currently be open using the leaked user credentials.

In one embodiment, the analysis functions performed by the evaluation server can be done via an SDK that is injected into a client application that the user is currently using on the user's device. One example is an identity provider (e.g., Okta has an app that facilitates single sign-on using a user device). The Okta app can include an SDK that incorporates the security evaluation functionality above so that the app can make risk decisions itself instead of having to consult another application or computing device.

In one embodiment, a use case is a business-to-consumer use case. For example, a bank can decide that before customers are permitted to login to a banking application, or attempt to initiate a large balance transfer, the evaluation server checks the risk level of the device. The bank can require that the user install an application that incorporates or uses the security evaluation discussed above.

In one embodiment, multi-factor authentication generates a soft token on a user mobile device. The risk level determined by the evaluation server can be incorporated into the token that is generated. The evaluation server uses a multi-factor authentication application, or this functionality can be integrated into a service application using an SDK as discussed above. When the user is generating the token, the token indicates that this is a trusted device that belongs to the user, and also that the device is in a given risk state, such as one of several classifications of risk. Also, other types of information can be encoded in the token that is generated. The user is not aware of the level of risk encoded in the token, and the entering of the token is also communicating information about the security status of the device.

In various embodiments, additional aspects of risk may be incorporated as factors in the security evaluation. For example, a version number of the application on the user device can be used as a factor.

In one embodiment regarding an IoT device, a module on that device can be interrogated. For example, the module can be used to check to see if communications are going through a secure VPN, check a firmware version, check typical requests to see if the requests look healthy or secure, or to personalize the device to enterprise ownership. In another example, a device phones home to a designated server that does a challenge response mechanism to authenticate the device.

In one embodiment, all checks in a security evaluation list are run through. If the checks are successfully done, then a credential challenge dialog is presented to a user on the device (e.g., in a login screen). In one embodiment, if a risk level is determined to be too high, login credentials are disabled.

In one embodiment, if a user takes a device out of compliance, a token on the device that indicates the device is healthy (or able to access services) is destroyed or removed. A different token can be used for each of several services.

In one embodiment, if an Apple watch or other computing device associated with the user is present, then this is a factor indicating the user is likely to be the normal user. In one embodiment, another factor is a determination that there is an unexpected proxy in the series of devices that transmit an access request.

In one embodiment, there are cases where the evaluation server determines that a device should not be trusted without first requiring installation of a client application on the device. For example, based on headers received by the evaluation server, it is determined that the device is running an older operating system that is deemed as being unacceptably old. So, a security evaluation does not necessarily require consulting a client application on the user device. There are cases where the evaluation server can make a decision not to trust the device (e.g., solely from a SAML request) even though no client application is on the device.

In one embodiment, a user of mobile device 149 is attempting to log into a service at the domain service.com provided by service provider 170. The user enters her username and password. Based on the user entering her e-mail address or the domain name of the e-mail address, service provider 170 redirects this access request to identity provider 172 (e.g., an identity sign-on provider such as the Okta service). The user then provides her username and password to identity provider 172. In one example, this communication occurs over protocols like SAML 2.0 or OOP (Security Assertion Markup Language (SAML) is an XML-based data format for exchanging authentication and authorization data). In one embodiment, SAML chaining is used with multiple identity providers that all consult each other before a user can log in.

In one embodiment, the service request to service.com is made by an application on mobile device 149 that is associated with service.com. This application is configured to communicate with evaluation server 150 when an access request is made to the service.com domain. Evaluation server 150 is configured to communicate with identity provider 172 if server 150 determines that the device is in a secure state. If server 150 determines that the device is insecure, server 150 can request that the user remediate any issue identified.

In one embodiment, evaluation server 150 checks that a device is free of threats and is compliant with a corporate policy corresponding to service provider 170. Regarding vulnerabilities and this policy, these can be configured by service provider 170 based on the service provider's desired risk threshold. For example, for the risk of an operating system version that is too old, the service provider sets the policy as to whether the service provider wants to prevent access to that device. In other cases, regarding behavior and configuration, a determination can be made whether the application running on the device is compliant with policy, whether the way that the device is configured is compliant with policy, whether there is a passcode set, etc.

In one embodiment, the level of risk as determined by the security evaluation leads to access to some services, but not to other services. For example, access to some resources may be permitted, but not to other resources (e.g., resources required to send money). The determined level of risk is used to set the level of access provided to the service.

Side-Load Protection

Various embodiments regarding side-load protection are discussed below. These embodiments do not limit the generality of the foregoing discussion regarding security evaluation.

As used herein, “side-loading” or “side-loaded” as used to characterize an application or other software indicates obtaining or obtained from a source that is not the default authorized channel for obtaining applications for the type of device (e.g., the default channel may be set by the administrator of the device such as by using an administrator server, or be set by any computing device different than the device onto which the application is to be installed). Examples of a source that is not the default authorized channel include a source that is not trusted, not known, or not authorized.

A source may be trusted for various reasons, including, for example, that the source is an authorized Google Play store or Apple App Store. Other examples include a source identified by an administrator of mobile devices (e.g., for a large corporation with thousands of employees) for use by users in downloading new software. In another example, a source may be trusted based on a prior history with that source (e.g., extensive prior downloads without negative incidents). Also, a source of prior copies of software may have been previously trusted, but at the time of sourcing a particular software file or component, the source is untrusted, so that the software is considered as being side-loaded.

Other examples of a side-loaded application include an application obtained from a source that is not known, and thus is untrusted, for example because there is no prior history of interaction with the source, or there is no independent confirmation or information that the source can be trusted. In another example, when referring to Android apps, an application is side-loaded if it is installed using an application package in APK format onto an Android device, after downloading the application package from a website other than Google Play. This side-loading is possible if the user has allowed “Unknown Sources” in her security settings on her computing device (this setting allows the installation of non-market apps).

The embodiments set forth herein are implemented using a wide variety of different types of computing devices. As used herein, examples of a “computing device” include, but are not limited to, a server, a centralized computing platform, a system of multiple computing processors and/or components, a mobile device, a user terminal, a vehicle, a personal communications device, a wearable digital device, an electronic kiosk, a general purpose computer, an electronic document reader, a tablet, a laptop computer, a smartphone, a digital camera, a residential domestic appliance, a television, or a digital music player. Additional examples of computing devices include devices that are part of what is called “the internet of things” (IOT). Such “things” may have occasional interactions with their owners or administrators, who may monitor the things or modify settings on these things. In some cases, such owners or administrators play the role of users with respect to the “thing” devices. In some examples, the primary mobile device (e.g., an Apple iPhone) of a user may be an administrator server with respect to a paired “thing” device that is worn by the user (e.g., an Apple watch).

An administrator defines and deploys policies for an organization. In some embodiments, the organization may be a family or other social group, and the administrator role may be performed by a parent or guardian, or may be performed by a third party service provider. Such a third party service provider may be a provider of security services, or the network operator, or a provider of content services. The additional levels of protection and control that organizations such as enterprises desire can also be advantageous for consumers, but consumers are typically not knowledgeable enough to perform administrator roles. Thus, there is often a need for third party service providers to act as technically-oriented admins. The consumer or parent or guardian as an admin may specify preferences corresponding to high-level policy decisions, and a technical admin can configure underlying services to meet these high-level policy decisions. As used in this disclosure, the term “administrator” or “admin” includes, but is not limited to, all such administrators (e.g., technical admin, consumer, parent, guardian, service provider, etc.) as described in this paragraph.

As mentioned above, users of mobile devices install applications from numerous various sources that are beyond the control of an administrator. In some embodiments, within a mobile network, the network operator can perform various admin functions as described in this disclosure. Also, the embodiments described herein are not limited to use solely in enterprise BYOD situations, but are also useful, for example, in other cases such as where a consumer wishes to administer all devices for the members of her family, or all of her personal devices (e.g., phone, watch, laptop, desktop computer, etc.).

In one example, a component is a part of an application (e.g., an application that is installed by a user from an Android or other software application marketplace and then executes on a mobile device). In one example, a component is provided by the application's creator or by a third party. In another example, the component may be code provided by an ad network or an analytics network.

In yet another example, components are linked libraries/SDKs that are packaged within an application. This is code that is within the application, but the code is developed by a third party and provides the ability for an application developer to integrate certain behaviors of that component into the developer's application (e.g., displaying a certain type of ads from a certain ad network such as LeadBolt). In another example, a set of data (e.g., in a file or a database) that is used by an application may be considered as a component of that application. Also, in some examples, data used by an application can be considered as known or unknown, or trusted or untrusted.

In one embodiment, a component (e.g., a component associated with an ad network) may have multiple behaviors associated with it (e.g., notification display, settings changes, and/or information collection). For example, the behaviors of the BTController application (discussed further below) is the summation of the behaviors of its constituent components. In some cases, components may provide the ability to selectively opt-out of individual behaviors. However, in other cases, this is not possible, and in order to opt out of any set of behaviors, a user must opt-out of the entire component.

Various embodiments described below for side-load protection relate to determining a source of software that is loaded on or otherwise transferred to a computing device. It is typically desired to determine the source in order to assess the risk of the software and make a determination or decision whether further action should be taken with respect to the software such as, for example, blocking installation of the software onto the computing device.

Sources of software (e.g., software loaded by user onto her laptop computer or mobile device) may include various numerous, non-limiting examples. For example, sources may include various channels of distribution for software applications. These channels may include the Google play store or the Apple App Store, other websites, various file sharing or transfer servers, peer-to-peer file-sharing systems (e.g., BitTorrent), and other network or computer system transfer sources for software. In addition to the foregoing types of sources, other sources include software accessed are installed locally such as by user inserting a USB memory drive into a computing device, or pairing two mobile devices using a Bluetooth connection.

There are various ways that a source of an application can be determined. In one embodiment, the source of an app on Android can be determined by calling getInstallerPackageName( ). In another embodiment, a source of software may be, for example, the “default” and/or “normal” channel for an operating system (OS) or other software, such as defined by an administrator server that manages computing devices for an enterprise.

In various embodiments, channels can be considered or deemed to be white-listed or black-listed. White-listed channels are trusted, and black-listed channels are untrusted. For example, applications from white-listed channels are generally considered as being trusted software, and applications from black-listed channels are generally considered as being untrusted software.

The software itself that is side-loaded includes various examples. For example, the software may be an application, a widget, an executable file, binary code, firmware, operating system components or updates, and other forms of executable software. Examples further include other files, such as office documents or PDF files, that may contain components like scripts or macros which are themselves executable. In some cases, such an embedded executable component may have associated with it identifiers or signing key information which can be used to separately determine the source of that executable component. An application itself may contain another application, for example, where an application for a mobile device which contains within it another related application which is intended for installation on a wearable or other personal or external device.

In various embodiments, the source of side-loaded software may be determined in various ways. For example, channel identifiers (channel IDs) associated with an application may be compared to various white lists and black lists. In another example, prior experience with the same or similar software on other computing devices may be used to make an assessment of the source of software being currently installed on a particular device. For example, various components of a currently-sourced software application can be identified and compared to components of software previously analyzed for prior installations made on other computing devices.

In another example, characteristics (e.g., a signing certificate or other signature of an application) associated with the developer of the software may be used to determine the source. In another example, the behavior of software either as installed on a mobile device or as determined by execution in a controlled environment may be used for making an identification of the source of the software. For example, the behavior of software newly being installed may be the same or similar as prior known malware.

In various embodiments, as each software application is assessed for making a determination of source, a source identifier is associated with the software. The source identifier is used by a mobile device or other computing device on which the software is being installed. The mobile device can communicate with an evaluation server using the source identifier as a basis for side-load protection activities, as discussed below. An application identifier is also associated with the software for tracking data related to the application. In one embodiment, an application identifier is an identifier used to identify a particular application. Examples of such identifiers include an application package name, an application title and version, or an arbitrary identification number (binary or otherwise).

In some embodiments, even a trusted source (e.g., the Google Play Store) may provide certain applications that are unauthorized or undesirable in at least one aspect. For example, a banking enterprise may authorize obtaining of a banking application from a designated enterprise website (e.g., a Bank of America website to which a user or a mobile device authenticates itself). An administrator of the enterprise desires that users download the banking application from this designated website, which the administrator considers to be a trusted source. However, a user might download the same or similar banking application from another source. This other source may be trusted for most applications. For example, the Google Play Store may be considered by an administrator server to be a trusted source for most applications downloaded to a device.

However, for the above particular banking application, the enterprise administrator only considers the application to be obtained from a trusted source if that source is the designated website. Any banking application obtained from the Google Play Store is considered to have been obtained from an untrusted source.

A source (such as previously identified and assigned to a source identifier) from which an undesirable application has been obtained can be set to or marked as being untrusted (either generally for all software obtained from that source, or untrusted, but only with respect to certain defined software). For the example of the banking application above, the Google Play Store can be deemed to be untrusted source for this application.

In one embodiment, evaluation server 150 stores data that associates source identifiers with application identifiers of those applications for which the respective source is considered untrusted (e.g., the banking application from the Google Play Store above). This stored data is used in later comparisons of source identifiers for new applications being installed on a computing device. The source identifier for a new application is compared to such previously-associated source identifier/application identifier records. If the new application is determined to be the same as or similar to the previous application (e.g., a previous application obtained in an unauthorized manner from the Google Play Store), than the new application is likewise considered to have been obtained from an untrusted source. For example, the similarity of the new application to the previous application can be determined by component analysis as described herein. In one case, a new, same-or-similar banking application obtained from the Google Play Store has an application state (or a state designation) set to untrusted in response to this determination.

In various embodiments, a mobile device on which an application is being installed stores state data. The state data includes a mobile device state and an application state for each application stored on or installed on the mobile device. The mobile device state may have values including trusted, untrusted, and unknown. The state of unknown indicates that a determination has not yet been made whether the mobile device is trusted or untrusted, or that an event has occurred on the device which could require re-assessment and could change the mobile device state. The application state may have values including trusted and untrusted. An application having a state of untrusted will, for example, not be executed.

Various embodiments described below also discuss state designations. A state designation is generally an indication by a computing device to be used by another computing device for setting a state. The state designation may have values of trusted and untrusted. The state may be the mobile device state or an application state. For example, the mobile device may receive a state designation from an evaluation server and then set the mobile device state (or alternatively an application state) based on the state designation. An application identifier will be associated with the state designation in order to identify the applicable application.

In some cases, the evaluation server communicates with an administrator server, which itself may make determinations of state designations that are sent to the evaluation server. The evaluation server uses a state designation from the administrator server in order to make a decision at the evaluation server regarding a state designation to send to the mobile device. The state designations may be selected based on various factors including the source of software, its source identifier, component or behavior analysis of software, etc., as discussed herein.

In various embodiments, based on the mobile device state and/or the application state, various actions may be performed with respect to the mobile device. For example, the mobile device may be denied access to a corporate network, or an application may be disabled.

In some embodiments, the source of the application may be determined during the process of assessing authenticity of the application, as discussed herein. For example, an application that is determined as not being authentic can have its source added to a blacklist.

In some embodiments, an application can be monitored for fraudulent behavior. If fraudulent behavior is identified, the source of the application can be added to a blacklist.

In some embodiments, installation of an application onto a computer device can be monitored. The signature associated with the application or other characteristics of the signer of the application can be used to assess the source.

In some embodiments, the manner of usage of an application on a computing device can be monitored. The usage or behavior of components of the application on the device that are inconsistent with a user or administrator-designated policy can be identified. In such event, the source and/or the application can be deemed as untrusted.

There are various examples of policies that may be used on mobile or other computing devices. For example, a user policy may define the handling of components 104 and 106 on mobile device 149. A policy may be defined by behavioral preferences established by a user and/or an administrator, and this policy is enforced on new applications installed on the mobile device. In another example, a policy may apply to a particular identified application.

In other examples, policies may be defined and applied to control or restrict the behavior of applications and their components. This can include the identification of advertising networks and defining policies to permit various opt-out actions for these advertising networks.

In some embodiments, a component analysis of an application can be used to relate components of a new application to a database of characteristics for known bad components. If the component in the new application corresponds to a known bad component, the source of the software can be identified as untrusted.

In various embodiments, side-load protection services are used by an administrator of numerous mobile devices, for example, for a company having thousands of employees. Mobile device management software is executed on an administrator server that provides a console for the administrator. The console provides information to the administrator regarding source information and statistics for side-loaded applications of managed devices. The administrator server communicates with the evaluation server as part of the side-load protection services.

In addition to the security evaluation discussed above, evaluation server 150 may also provide protection against side-loaded applications. In various embodiments, evaluation server 150 performs side-load protection as discussed below. The system of FIG. 1 may also be used for protection against side-loaded applications, in which user terminals 141-145 and mobile devices 147-149 communicate with evaluation server 150, according to various embodiments. Mobile devices may include, for example cell phones, smartphones, and tablet devices such as the iPhone device or an Android tablet. Mobile devices may also include automobiles, planes, or other vehicles that include a computing device, such as an embedded computing or communication system that communicates via the Internet over a cellular phone system, or other portable computing devices (e.g., devices that pair with a mobile device using Bluetooth, such as an Apple watch). The mobile devices communicate with evaluation server 150 and optionally an application marketplace 123, and/or a developer server (not shown), according to various embodiments as described below.

Additional examples of mobile or other computing devices include devices that are part of what is called “the internet of things” (IOT). In the IOT there are multiple devices which operate on their own, without accompanying and attendant users. Such devices may be mobile or sessile; they may have various sensors and computing and communication capabilities and may run applications; schematically they can be considered substantially similar to a mobile device. Such “things” may have occasional interactions with their owners or administrators, who may monitor the things or modify settings on these things. Such owners or administrators play the role of users with respect to the “thing” devices. In some examples, the primary mobile device of a user may be an administrator server with respect to a paired “thing” device that is worn by the user (e.g., an Apple watch). In an embodiment, a “thing” or a device, e.g., one intended for use as a health or medical device, may have an embedded white list defining trusted sources for applications, or may have an administrator associated with that device, e.g., an administrator working for the medical device manufacturer or distributor, who can control the side-loading policies for that device.

As mentioned above, in FIG. 1, the user terminals (e.g., 141, 143, . . . , 145) and/or mobile devices (e.g., 147, 149) are used to access and/or communicate with evaluation server 150, application marketplace 123 (e.g., an Android or Google Play store or marketplace, or an enterprise application store), and/or developer server (not shown) over a communication network 121 (e.g., the Internet, a wide area network, a local network, or other wired or wireless communications network).

Network 121 may be used to download and remotely install applications selected from marketplace 123 (e.g., using Google Play or the Android Market). Marketplace 123 may include one or more web servers (or other types of data communication servers) to communicate with the user terminals (e.g., 141, 143, . . . , 145) and mobile devices 147, 149.

Specifically, mobile device 149 may download a new application 1013 from application marketplace 123 or developer server 160. An application obtained from developer server 160 is signed using a signing certificate 162. New application 1013 has components 104 and 106.

In an alternative embodiment, an application or other software has been preloaded onto mobile device 149. In this case, assessment of this application alone (or assessment of this application along with a set of or all applications installed on mobile device 149) can be performed. In one embodiment, this preloaded application includes components that are assessed and handled such as described herein for new applications being installed on a mobile or other computing device.

Mobile device 149 stores a user policy 108. The new application 1013 may be compared to user policy 108 during or after installation. Evaluation server 150 includes a data repository of policies 116 (e.g., user policies). User policy 108 of mobile device 149 may be compared to policies 116. An administrator server (not shown) may provide some policies in policies 116 (e.g., as regards usage of or installation of applications onto mobile device 149).

In one example, an owner of an Android phone (e.g., mobile device 149) may visit a web site hosted by marketplace 123 and select a free poker game application for remote installation on mobile device 149. The user may authenticate itself to marketplace 123 by its email address (e.g., Gmail address) and password.

The marketplace 123 is connected to respective data storage facilities to store applications, messaging account data for users, user preference data, and other data. A messaging server (not shown) may be connected to communication network 121 to deliver messages (e.g., email or text) to user terminals 141-145 or one of a user's mobile devices 147, 149.

In one embodiment, a software server (not shown) may be coupled to communicate with application marketplace 123 and/or mobile devices 147, 149 by communication network 121. The software server stores, for example, an application (e.g., the Ad Network Detector discussed below) in memory. The application stored on the software server is sent to application marketplace 123, where it is stored for later download and installation by a user. For example, the user of mobile device 149 may access marketplace 123 to download and install the application. In another embodiment, the software server is developer server, or another computing device, and may be used to upload an application to marketplace 123.

In one embodiment, the software server communicates with the application (now executing on mobile device 149 after installation by the user). The application is configured to identify at least one behavior on mobile device 149 as discussed herein. The at least one behavior is associated with each of a plurality of components of a plurality of other applications installed on the mobile device 149 (e.g., other applications previously downloaded by the user from the Google Play service), and the at least one behavior includes a first behavior associated with a first component.

Evaluation server 150 may receive at least one behavioral preference of the user (e.g., from mobile device 149 and/or from an administrator of the mobile device). The at least one behavioral preference may be determined by the application based on input from the user (e.g., a user selection from a menu or results list) or the administrator.

The server stores the at least one behavioral preference (e.g., stores in a memory of the server) for later uses such as responding to queries from other computing devices regarding the intent of the user of mobile device 149. In one embodiment, the Ad Network Detector discussed below may manage these behavioral preferences on behalf of a user for these networks.

Identity provider 172 may be coupled to communication network 121. The identity provider 172 may communicate with, for example, evaluation server 150. For example, evaluation server 150 may obtain information from the identity provider regarding one or more software components for a side-loaded application being analyzed to determine its source.

In an alternative embodiment, the identity provider includes a database, which stores component identities (and optionally some or all of policies 116). Mobile device 149 may include applications that have been previously installed on mobile device 149. These applications may be installed from application marketplace 123 or the developer server.

The user policy 108 is stored locally in a memory of mobile device 149. In one embodiment, during operation, as discussed in more detail below, user policy 108 may be used to define the handling of components 104 and 106 on mobile device 149.

In one embodiment, a user policy for mobile device 149 may alternatively (or in addition to user policy 108) be stored as one of policies 116 on the evaluation server 150 and/or the identity provider. A user or administrator policy may be enforced on mobile device 149 using either a local user policy or a remote user policy, or a combination thereof.

As discussed in more detail below, after an application 102 is installed on mobile device 149, components 104 and 106 may be identified and behaviors exhibited on mobile device 149 may be attributed to one or more of components 104 and 106. Any given component (e.g., component 104) may be present in several different applications on mobile device 149 and/or may be common to numerous copies or versions of an application that have been installed on mobile or other computing devices for large numbers of other users. In one embodiment, this commonality of component presence permits observing and collecting structural and behavioral data associated with the component (e.g., how the component behaves on other mobile devices). This known component data may be stored in a database (not shown) of evaluation server 150, and the component data may be associated with a particular component identity. Thus, a data repository of prior component data can be used to compare to data more recently obtained for new components (such as those identified in newly-installed applications on mobile device 149). The results of the component comparison can also be used when determining a source of an application.

More specifically, as characteristics and behaviors associated with components on mobile device 149 are identified and attributed, these characteristics and behaviors may be compared with known characteristics and behaviors stored either locally on mobile device 149 or stored remotely on the identity provider (which was discussed above) as data associated with component identities (these identities may also be associated with previously-determined sources of the corresponding applications). The results from such comparisons in combination with determination of source, and/or mobile device state or application state, may be used for making decisions regarding configuration and/or disabling of one or more particular components on the mobile device or other computing device (e.g. user terminal 141), as discussed in greater detail below.

Although FIG. 1 illustrates an exemplary system implemented in client-server architecture, embodiments of the disclosure can be implemented in various alternative architectures. For example, the evaluation server 150 may be implemented via a peer to peer network of user terminals in some embodiments, where applications and data/information from mobile devices are shared via peer to peer communication connections.

In some embodiments, a combination of client server architecture and peer to peer architecture can be used, in which one or more centralized servers may be used to provide some of the information and/or services and the peer to peer network is used to provide other information and/or services. Thus, embodiments of the disclosure are not limited to a particular architecture.

FIG. 2 shows a web page of an application marketplace 123 (e.g., the Google Play service) offering multiple applications (A, B, C) for remote installation on mobile devices, according to one embodiment. A user accesses the web page and selects an application for remote installation. The user may pay for the application on a web page provided by marketplace 123 (unless the application is free of charge). The application marketplace 123 may be a trusted source of applications. It should be noted that in other embodiments, a marketplace such as Google Play is not limited to access only via a web page, but also may be accessed via an application installed on a mobile device, such as the Google “Play Store” application on Android.

An example of an application available for download from the Google Play Store is an application known as “BTController”. Some user reviews for this application have included complaints about excessive advertisements on the user's mobile device after installation. Thus, this may be considered an undesirable application (e.g., Google Play could be defined as untrusted with respect to this particular application). For example, evaluation server 150 can store a record associating a source identifier for the Google Play Store with an application identifier for this undesirable application. In response to a request from a mobile device requesting a state designation for a new application being installed on the mobile device that has been determined to be similar to this undesirable application, evaluation server 150 sends a state designation having a value of untrusted.

FIG. 3 shows the system of FIG. 1 further illustrating an administrator server 302 communicating with the evaluation server 150, according to various embodiments. Administrator server 302 stores policies 308 (e.g., user policies), which relate to mobile device management of mobile device 149 and other mobile devices. Policies 308 may be shared with evaluation server 150, as mentioned above. In an alternative embodiment, evaluation server 150 and administrator server 302 could be the same computing device.

In one embodiment, evaluation server 150 uses one of policies 308 that is applicable to mobile device 149 as part of evaluating risk associated with mobile device 149. In one embodiment, this policy may be used to determine a threshold that a risk configuration of mobile device 149 must pass in order to access a service provided by service provider 170.

Administrator server 302 and evaluation server 150 communicate during side-load protection using network 121. This communication includes sharing of data regarding applications associated with mobile device 149, and the providing of state designations from administrator server 302 to evaluation server 150. The provided state designations may be based on data repositories and analysis of an application and/or its source as performed by administrator server 302.

Mobile device 149 stores state data 306 and mobile application data 304. State data 306 includes a mobile device state and an application state for each of the applications installed or stored on mobile device 149. The mobile device state and the application state may be set based on communications received from evaluation server 150.

The mobile application data 304 includes an application identifier for each application of mobile device 149 and a source identifier for each such application. This source identifier identifies the source from which the application has been obtained. In one example, this source is a channel identifier provided in a field of data for an application package downloaded from an application marketplace. In other cases, the application does not contain any identification of source, but a source is determined and assigned to the application based on analysis of the application, or by observation of how an application file is provisioned to a computing device, as described herein.

FIG. 4 shows the system of FIG. 3 further illustrating state designations stored at the evaluation server 150 and the administrator server 302, according to various embodiments. More specifically, evaluation server 150 stores server application data 402 and further comprises a source database 406. Application data 402 includes a set of records, each record for an application stored on mobile device 149, and the record including an application identifier, a corresponding source identifier, and a state designation.

In one embodiment, application data 402 is used by evaluation server 150 in performing a security evaluation and response to an access request from mobile device 149. Other data that may be used in this evaluation includes data from source database 406, and/or application data 404 provided from administrator server 302.

The application identifier and source identifier are received from mobile device 149, for example, in one or more messages. In reply to these messages, evaluation server 150 sends a message with one or more state designations for each application identifier. Evaluation server 150 compares source identifiers from mobile device 149 with source identifiers in white list 408 and black list 410 of source database 406. White list 408 contains a list of source identifiers that have been previously determined to be trusted. Black list 410 includes a list of source identifiers that have been previously determined to be untrusted.

In some cases, evaluation server 150 determines and sends state designations to mobile device 149 without any interaction with administrator server 302. However, in other cases, evaluation server 150 sends a message to administrator server 302 providing an application identifier and source identifier along with the requests that administrator server 302 determine a state designation.

Administrator server 302 stores administrator application data 404, which includes application identifiers and source identifiers received from evaluation server 150. Administrator server 302 determines an administrator state designation for an application, as was mentioned above. This administrator state designation is sent to evaluation server 150, which uses the administrator state designation to set a state designation of the evaluation server for sending to mobile device 149. The state designation sent to mobile device 149 may be different than the administrator state designation that was received by evaluation server 150.

Various non-limiting embodiments for side-load source assessment and protection are now described below. In one embodiment, a non-transitory computer-readable storage medium stores computer-readable instructions, which when executed, cause a first computing device to: determine, by the first computing device, whether a first source identifier of a first application matches a white list of source identifiers; determine whether the first source identifier matches a black list of source identifiers; and send, by the first computing device to a second computing device, at least one message comprising the first source identifier and a first application identifier for the first application.

In one embodiment, the determining whether the first source identifier matches the black list is performed in response to the first source identifier not matching the white list. In one embodiment, the determining whether the first source identifier matches the white list is performed in response to the first source identifier not matching the black list. In one embodiment, the determining whether the first source identifier matches the white list is performed simultaneously with the determining whether the first source identifier matches the black list.

In one embodiment, the computer-readable instructions further cause the first computing device to, in response to the first source identifier matching the black list, set a device state of the first computing device to untrusted, and send the at least one message to the second computing device, the at least one message further comprising the device state. The computer-readable instructions may further cause the first computing device to store the device state, wherein the device state can be set to values including trusted and untrusted.

In one embodiment, the computer-readable instructions further cause the first computing device to, in response to the first source identifier not matching the black list, set a first application state for the first application to unknown, and send the at least one message to the second computing device, the at least one message further comprising the first application state. The computer-readable instructions may further cause the first computing device to store data for a plurality of applications, the data comprising an application state and a source identifier for each of the applications, wherein each application state can be set to values including known and unknown.

In one embodiment, the computer-readable instructions further cause the first computing device to receive a message from the second computing device, the message comprising a first state designation for the first application. In one embodiment, the computer-readable instructions further cause the first computing device to set the device state to the first state designation. In one embodiment, the device state is set to the first state designation only if a device state of the first computing device is not set to untrusted.

In one embodiment, the computer-readable instructions further cause the first computing device to, prior to determining whether the first source identifier matches the white list, receive the white list from the second computing device. In one embodiment, the first computing device is a vehicle, a personal communications device, a wearable digital device, an electronic kiosk, a general purpose computer, an electronic document reader, a tablet, a laptop computer, a smartphone, a digital camera, a residential domestic appliance, a television, a digital music player, or a computing device that is embedded in a vehicle or other piece of machinery.

In one embodiment, a method includes: storing, by a first computing device, data for a plurality of applications associated with a second computing device, the data comprising a state designation for each of the applications, wherein the state designation can be set to values including trusted and untrusted; receiving, by the first computing device from the second computing device, a first application identifier and a first source identifier, each for a first application; setting, by the first computing device, a first state designation for the first application, wherein the first state designation is to be used for setting a state on the second computing device; and sending, by the first computing device, the first state designation to the second computing device. The state to be set may be a device state, or an application state for an application stored on the second computing device.

In one embodiment, the setting the first state designation comprises: sending, by the first computing device, over a network, the first application identifier and the first source identifier to a third computing device; receiving, from the third computing device, a second state designation for the first application; and setting the first state designation based on the second state designation.

In one embodiment, the setting the first state designation comprises: determining whether the first source identifier matches a white list of source identifiers; and in response to the first source identifier matching the white list, setting the first state designation to trusted.

In one embodiment, the setting the first state designation comprises: determining whether the first source identifier matches a white list of source identifiers; and in response to the first source identifier not matching the white list, determining whether the first source identifier matches a black list of source identifiers.

In one embodiment, the setting the first state designation further comprises, in response to the first source identifier matching the black list, setting the first state designation to untrusted. In one embodiment, the setting the first state designation further comprises, in response to the first source identifier not matching the black list: sending the first application identifier and the first source identifier to a third computing device; and setting the first state designation based on a second state designation received from the third computing device. In one embodiment, the method further comprises updating the black list based on the second state designation.

In one embodiment, a system includes: at least one processor; and memory storing instructions configured to instruct the at least one processor to: receive, from a first computing device, a first application identifier and a first source identifier, each for a first application of the first computing device; determine whether the first source identifier matches a white list of source identifiers; and determine whether the first source identifier matches a black list of source identifiers; send the first application identifier and the first source identifier over a network to a second computing device; receive, from the second computing device, a first state designation for the first application; set a second state designation based on the first state designation; and send the second state designation to the first computing device.

In one embodiment, the determining whether the first source identifier matches the black list is performed in response to the first source identifier not matching the white list. In one embodiment, the sending the first application identifier and the first source identifier to the second computing device is performed in response to the first source identifier not matching the black list. In one embodiment, the instructions are further configured to instruct the at least one processor to update the white list based on the first state designation.

In one embodiment, the system further comprises a database storing data for a plurality of applications associated with the first computing device, the data comprising a source identifier and a state designation for each of the applications, wherein each state designation can be set to values including trusted and untrusted.

In one embodiment, the first source identifier is based on a signature of the first application. In one embodiment, the instructions are further configured to instruct the at least one processor to receive a trusted source identifier from the second computing device, and update the white list based on the trusted source identifier. In one embodiment, the instructions are further configured to instruct the at least one processor to receive a trusted source identifier from the second computing device, and update the black list based on the trusted source identifier.

FIG. 5 shows a system for evaluating a source for applications, in which a evaluation server 150 communicates with an authenticity server 1005 regarding applications installed or being installed on mobile device 149, according to one embodiment. In making a determination of the source of software for mobile device 149, evaluation server 150 communicates with mobile device 149 and authenticity server 1005, and optionally an administrator server (not shown) as discussed above.

In one embodiment, the source of software for mobile device 149 is used by evaluation server 150 in performing a security evaluation for a risk level of mobile device 149 in response to a request initiated by mobile device 149 to access the service provided by service provider 170.

Authenticity server 1005 includes a database 1007, which stores component data 1009 and a repository 1003. Repository 1003 contains package identifiers and signing identifiers for applications being installed on mobile device 149.

In one embodiment, authenticity server 1005 receives from mobile device 149 a package identifier and a signing identifier associated with new application 1013. Authenticity server 1005 uses a plurality of inputs, such as are described herein, to evaluate the authenticity of new application 1013. This evaluation provides a result, for example a score indicating the risk of the new application being inauthentic. Based on this result, an action is performed by authenticity server 1005. If the score is above a threshold, the application may be deemed as being untrusted, or a state designation of untrusted may be sent to evaluation server 150.

In one example, this action is the sending of a notification to mobile device 149 in order to alert the user that the new application 1013 may be fraudulent or a tampered version. New application 1013 may have been provided, for example, to application marketplace 123 or directly to mobile device 149, by developer server 160, along with signing certificate 162. Developer server 160 also provides a package identifier for new application 1013. Signing certificate 162 is one form of signing identifier that may be provided to authenticity server 1005 for evaluation of new application 1013.

In one embodiment, authenticity server 1005 compares signing certificate 162 to an existing signing identifier contained in repository 1003. Authenticity server 1005, in one example, compares signing certificate 162 to a known, good signing key stored in repository 1003.

In one embodiment, authenticity server 1005 has a registry of known application signing keys and the package names they are registered for. If an application pretends to own one of those package names with a different signing key, a user is alerted that the application is likely tampered with. In some cases, authenticity server 1005 may also use similarity detection to determine that, even if an application has a different package name, it is highly similar to another previously-known application, but has a different signer. Various additional embodiments relating to authenticity server 1005 are discussed in greater detail below.

FIG. 6 shows a display 602 of a mobile device 606 of a user, in which the display 602 presents an icon 604 to the user for an application store (e.g., Apple App Store), according to one embodiment. In one embodiment, mobile device 606 is mobile device 149 of FIG. 1. Display 602 presents other icons correspond to applications loaded onto mobile device 606.

FIG. 7 shows the display of the mobile device 606, on which a notification 702 is presented to the user for approving installation of a software client (i.e., “Email Client”) on mobile device 606, according to one embodiment. Enterprise administrators typically are not concerned with malware in an established application store such as the Apple App Store. Enterprise users are typically trained to install applications from other sources such as mobile device management and websites designated by the administrator.

FIG. 8 shows the display of the mobile device 606, on which a notification 802 is provided to query a user whether to trust an application from an identified software developer (e.g., a developer associated with developer server 160), according to one embodiment. Enterprise signing certificates can be used to sign an application so that it can be distributed to any device. An administrator of the enterprise may desire that its users only install applications from an established application marketplace or applications that are signed by the enterprise signing certificate.

FIG. 9 shows the display of the mobile device 606, on which a notification 902 is provided from evaluation server 150 or administrator server 302 indicating that an application being installed may be from an untrusted source, according to one embodiment. The source of this application has been determined to be an untrusted source based on the various methods as described herein.

FIG. 10 shows a user console 1032 of evaluation server 150 in communication via an application programming interface with a user console 1034 of administrator server 302, according to one embodiment. Console 1032 provides a display to the user of a variety of information including a list of side-loaded applications detected as potential malware, along with metadata for such applications including signers, permissions, and frameworks. The same information may be provided to console 1034 over network 121. After detection of malware or other undesired side-loaded applications, an administrator can control remediation activities on mobile devices such as mobile device 149.

FIG. 11 shows a block diagram of a computing device 201 (e.g., evaluation server 150, administrator server 302, or authenticity server 1005), which can be used in various embodiments. While FIG. 11 illustrates various components, it is not intended to represent any particular architecture or manner of interconnecting the components. Other systems that have fewer or more components may also be used. In an embodiment, an evaluation server, an administrator server, an authenticity server, or an identity provider may each reside on separate computing systems, or one or more may run on the same computing device, in various combinations.

In FIG. 11, computing device 201 includes an inter-connect 202 (e.g., bus and system core logic), which interconnects a microprocessor(s) 203 and memory 208. The microprocessor 203 is coupled to cache memory 204 in the example of FIG. 11.

The inter-connect 202 interconnects the microprocessor(s) 203 and the memory 208 together and also interconnects them to a display controller and display device 207 and to peripheral devices such as input/output (I/O) devices 205 through an input/output controller(s) 206. Typical I/O devices include mice, keyboards, modems, network interfaces, printers, scanners, video cameras and other devices which are well known in the art.

The inter-connect 202 may include one or more buses connected to one another through various bridges, controllers and/or adapters. In one embodiment the I/O controller 206 includes a USB (Universal Serial Bus) adapter for controlling USB peripherals, and/or an IEEE-1394 bus adapter for controlling IEEE-1394 peripherals.

The memory 208 may include ROM (Read Only Memory), and volatile RAM (Random Access Memory) and non-volatile memory, such as hard drive, flash memory, etc.

Volatile RAM is typically implemented as dynamic RAM (DRAM) which requires power continually in order to refresh or maintain the data in the memory. Non-volatile memory is typically a magnetic hard drive, a magnetic optical drive, or an optical drive (e.g., a DVD RAM), or other type of memory system which maintains data even after power is removed from the system. The non-volatile memory may also be a random access memory.

The non-volatile memory can be a local device coupled directly to the rest of the components in the computing device. A non-volatile memory that is remote from the computing device, such as a network storage device coupled to the computing device through a network interface such as a modem or Ethernet interface, can also be used.

In one embodiment, a computing device as illustrated in FIG. 11 is used to implement evaluation server 150, application marketplace 123, service provider 170, identity provider 172, administrator server 302, and/or other servers.

In another embodiment, a computing device as illustrated in FIG. 11 is used to implement a user terminal or a mobile device on which an application is installed or being installed. A user terminal may be in the form, for example, of a notebook computer or a personal desktop computer.

In some embodiments, one or more servers can be replaced with the service of a peer to peer network of a plurality of data processing systems, or a network of distributed computing systems. The peer to peer network, or a distributed computing system, can be collectively viewed as a computing device.

Embodiments of the disclosure can be implemented via the microprocessor(s) 203 and/or the memory 208. For example, the functionalities described can be partially implemented via hardware logic in the microprocessor(s) 203 and partially using the instructions stored in the memory 208. Some embodiments are implemented using the microprocessor(s) 203 without additional instructions stored in the memory 208. Some embodiments are implemented using the instructions stored in the memory 208 for execution by one or more general purpose microprocessor(s) 203. Thus, the disclosure is not limited to a specific configuration of hardware and/or software.

FIG. 12 shows a block diagram of a computing device (e.g., a mobile device of a user or a user terminal), according to one embodiment. In FIG. 12, the computing device includes an inter-connect 221 connecting the presentation device 229, user input device 231, a processor 233, a memory 227, a position identification unit 225 and a communication device 223.

In FIG. 12, the position identification unit 225 is used to identify a geographic location. The position identification unit 225 may include a satellite positioning system receiver, such as a Global Positioning System (GPS) receiver, to automatically identify the current position of the computing device.

In FIG. 12, the communication device 223 is configured to communicate with a server to provide data, including application data (e.g., an application identifier and a source identifier for a newly-sourced application). In one embodiment, the user input device 231 is configured to receive or generate user data or content. The user input device 231 may include a text input device, a still image camera, a video camera, and/or a sound recorder, etc.

Side-Load Protection Variations

Various non-limiting embodiments and examples related to side-load protection and/or determination of a source of side-loaded software are now discussed below. The embodiments and examples of this section (i.e., “Side-Load Protection Variations”) do not limit the generality of the foregoing discussion.

One embodiment involves there being multiple destinations or install-locations on a single mobile (or other computing) device. Specifically, each ‘container’ on a mobile device can represent a separate install location (e.g., the ‘personal’ container and the ‘work’ container), as with various container solutions. In this case, the designation of a channel as GOOD or BAD depends on the ‘install location’ for the app; that is, in one case, the only GOOD channel ID for the container on the device is the enterprise version of the app store; the general consumer version of the app store is not considered as a GOOD channel ID for the container. This variation may apply, for example, to any of the use cases above.

Some embodiments relate to wearable apps. These are apps which run on a wearable device (e.g., Android Wear), but these apps are packaged inside a handheld app, because users cannot browse and install apps directly on the wearable itself. If packaged properly, when users download the handheld app, a system automatically pushes the wearable app to the paired wearable. For example, see https://developerandroid.com/training/wearables/apps/packaging.html Also see https://developer.android.com/training/building-wearables.html

There are cases of wearable apps being packaged inside the APK for the handheld device for subsequent installation onto a wearable device. With respect to detection of malware, or determination of whether the app is undesired, the wearable app may be scanned using a whitelist or a blacklist or a decision component. Also, there are cases in which wearable apps do not run on the mobile device, but instead run on a paired or connected wearable, and which are provisioned via a connection through the mobile device. Here, the source identifier for the embedded wearable app consists of the source identifier of the containing app plus the fact that the wearable app was contained within that wearable app. The side load protection system may distinguish between the containing app for installation or running on the mobile device and the embedded app for installation or running on the wearable device; e.g., one may be allowed, while the other may not, the decisions of the system can be independent of each other for these two apps and devices.

In one embodiment, enterprise resources are protected when an application on a mobile device associated with the enterprise has been determined to have an application installed from an untrusted channel. In one example, a use case relates to applying an enterprise policy (in many variations). In this example, one or more of the following actions are taken:

At the mobile device:

-   -   access enterprise policy rules     -   follow enterprise policy rules (many possible actions or         combinations) such as:         -   present warning/notification info to the user,         -   remove untrusted app,         -   suspend access to the untrusted app,         -   instruct user to remove app,         -   provide instructions to the user,         -   suspend access to enterprise resources,         -   remove enterprise apps from the user interface,         -   disable access to enterprise apps on the mobile device,         -   suspend access to vpn (virtual private network),         -   suspend access to enterprise wifi,         -   suspend access to enterprise contact list,         -   suspend single sign on access requests,         -   present user with ability to restrict permissions for one or             more other applications,         -   transmit inventory of installed apps to a server,         -   delete enterprise content on the mobile device including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   suspend access to enterprise content on the mobile device             including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   require password to access enterprise resources,         -   remove enterprise email account from presentation on the             mobile device,         -   lock the phone,         -   locate the phone,         -   etc.

At the server:

-   -   access enterprise policy rules     -   follow enterprise policy rules (many possible actions or         combinations) such as:         -   transmit warning/notification in a message for presentation             to the user,         -   transmit message to mobile device to remove untrusted app,         -   transmit message to mobile device to suspend access to the             untrusted app,         -   transmit message to mobile device to instruct user to remove             app,         -   transmit message to mobile device to provide instructions to             the user,         -   transmit message to mobile device to suspend access to             enterprise resources,         -   suspend access of the mobile device to enterprise resources             in the network,         -   transmit message to mobile device to remove enterprise apps             from the user interface,         -   transmit message to mobile device to disable access to             enterprise apps on the mobile device,         -   suspend access of the apps on the mobile device to             enterprise resources in the network         -   transmit message to mobile device to suspend access to vpn,         -   deny vpn access requests from the mobile device,         -   transmit message to mobile device to suspend access to             enterprise wifi,         -   deny wifi access requests from the mobile device         -   suspend access to enterprise contact list,         -   transmit message to mobile device to suspend single sign on             access requests,         -   deny single sign on requests from the mobile device,         -   transmit message to mobile device to present user with             ability to restrict permissions for one or more other             applications,         -   transmit message to mobile device to transmit inventory of             installed apps to a server,         -   transmit message to mobile device to delete enterprise             content on the mobile device including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   transmit message to mobile device to suspend access to             enterprise content on the mobile device including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   transmit message to mobile device to require password to             access enterprise resources,         -   transmit message to mobile device to remove enterprise email             account from presentation on the mobile device,         -   prevent delivery of enterprise content to the mobile device,         -   etc.

In another embodiment, trust is restored between an enterprise admin server and a mobile device that hosts an app that was installed from an untrusted channel. In one example, a use case relates to managed restoration of suspended functionality.

For example, one or more of the following actions are taken:

At the mobile device or terminal:

-   -   Perform one or more of the following:         -   Restore the mobile device to factory settings.         -   Restore the mobile device memory to the state that existed             at a time that preceded the installation of the untrusted             app.         -   Receive an one or more instructions from a server and             execute those instructions on the mobile device.     -   Report the completion of all necessary actions and the readiness         of the mobile device to re-enter a ‘trusted’ state by sending a         message to a server.     -   Receive an instruction from the server to set the mobile device         to a trusted state.     -   Set the state of the mobile device to ‘trusted’     -   Restore access to enterprise resources.         -   present ‘everything is ok’ notification to the user,         -   provide instructions to the user,         -   restore enterprise apps to the user interface,         -   enable access to enterprise apps on the mobile device,         -   restore access to vpn,         -   restore access to enterprise wifi,         -   restore access to enterprise contact list,         -   restore single sign on access requests,         -   present user with ability to change permissions for one or             more other applications,         -   restore enterprise content on the mobile device including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   restore access to enterprise content on the mobile device             including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   restore single sign on access to enterprise resources,         -   restore enterprise email account presentation on the mobile             device,             At the server:     -   Receive a message from the mobile device that the completion of         all necessary actions has occurred and the mobile device is         ready to re-enter a ‘trusted’ state     -   Restore access to enterprise resources.         -   Send a message to the mobile device providing instructions             to the user,         -   Send a message to the mobile device to restore enterprise             apps to the user interface,         -   Send a message to the mobile device to enable access to             enterprise apps on the mobile device,         -   Enable enterprise apps to access enterprise resources in the             network         -   Send a message to the mobile device to restore access to             vpn,         -   Enable access to the enterprise vpn         -   Send a message to the mobile device to restore access to             enterprise wifi,         -   Enable access to the enterprise wifi         -   Send a message to the mobile device to restore access to             enterprise contact list,         -   Enable access to the network copy of the enterprise contact             list         -   Send a message to the mobile device to restore single sign             on access requests,         -   Enable access to single sign on access requests         -   Send a message to the mobile device to present user with             ability to change permissions for one or more other             applications,         -   Send a message to the mobile device to restore enterprise             content on the mobile device including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   Enable access to enterprise content on the mobile device             including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   Enable access to enterprise content on in he network             including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   Send a message to the mobile device to restore access to             enterprise content on the mobile device including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   Send a message to the mobile device to restore access to             enterprise content on in the network including             -   bookmarked web sites             -   photos             -   notes             -   documents         -   Send a message to the mobile device to restore single sign             on access to enterprise resources,         -   Send a message to the mobile device to restore enterprise             email account presentation on the mobile device,     -   Send a message to the mobile device containing an instruction         from the server to set the mobile device to a trusted state.     -   Send a message to the mobile device to present ‘everything is         ok’ notification to the user,     -   Receive a message from the mobile device confirming that the         mobile device is in a ‘trusted’ state.

In another embodiment, a determination is made as to whether any high-risk activities occurred while a mobile device was in an untrusted state due to a side-loaded application. In one example, a use case relates to an access usage log and report.

For example, one or more of the following actions is taken:

On the mobile device:

-   -   Determine the time of installation of the side loaded app         associated with the mobile device entering the ‘untrusted’ state     -   Transmit the determined time of installation of the app         associated with the mobile device entering the ‘untrusted’ state         to a server (e.g., evaluation server 150 or admin server 302)     -   Determine usage parameters such as the times and durations and         quantities where appropriate of any of the following:         -   Mobile device locked while still communicating data         -   Camera on         -   Microphone on         -   Mobile device accesses or attempts to access personally             identifiable data         -   Mobile device accesses or attempts to access enterprise             resources         -   Mobile device connected via vpn or attempts to connect via             vpn         -   Mobile device connected via enterprise wifi or attempts to             connect via wifi         -   DNS resolution attempts (DNS probing by the device)         -   USB connector in use         -   Bluetooth in use         -   NFC in use         -   802.15 in use         -   Data sent to an address inside the enterprise addressing             domain         -   Data sent to an address outside the enterprise addressing             domain             -   Address is a known ‘bad’ address (e.g., location of a                 CNC server or malware server)         -   Data received from an address inside the enterprise             addressing domain         -   Data received from an address outside the enterprise             addressing domain             -   Address is a known ‘bad’ address (e.g., location of a                 CNC server or malware server)         -   Single sign on used to access a resource or single sign on             attempted to be used for accessing a resource.         -   Enterprise content accessed or attempted to be accessed         -   App installed or app update installed         -   Operating system or firmware update applied         -   Device hard reset performed         -   Device booted into recovery mode         -   The locations of the mobile device         -   Recording the identifiers of nearby beacons, Wi-Fi SSIDs or             BSSIDs, or Bluetooth identifiers, or other network related             identifiers         -   Switching off the mobile device         -   Switching on the mobile device         -   Removal and insertion of memory cards and sim cards         -   Use of sensors on the mobile device (part of device or             connected to device), such as biometric sensors,             accelerometer, gyroscope, magnetic sensor, proximity sensor,             temperature sensor, barometric sensor, etc.         -   Reading information from the /proc filesystem         -   Attempts to read or write information to normally protected             areas of a filesystem     -   Transmit the results of the determination of usage parameters to         a server (e.g., evaluation server 150)     -   Receive an acknowledgement from the server     -   Display the determination of usage parameters on the display of         the mobile device.         At the server:     -   Receive a message from the mobile device containing the time of         installation of the app associated with the mobile device         entering the ‘untrusted’ state     -   Receive a message from the mobile device containing usage         parameters such as the times and durations and quantities where         appropriate of any of the following:         -   Mobile device locked while still communicating data         -   Camera on         -   Microphone on         -   Mobile device accesses or attempts to access personally             identifiable data         -   Mobile device accesses or attempts to access enterprise             resources         -   Mobile device connected via vpn or attempts to connect via             vpn         -   Mobile device connected via enterprise wifi or attempts to             connect via wifi         -   DNS resolution attempts (e.g., DNS probing by the device)         -   USB connector in use         -   Bluetooth in use         -   NFC in use         -   802.15 in use         -   Data sent to an address inside the enterprise addressing             domain         -   Data sent to an address outside the enterprise addressing             domain             -   Address is a known ‘bad’ address (e.g., location of a                 CNC server or malware server)         -   Data received from an address inside the enterprise             addressing domain         -   Data received from an address outside the enterprise             addressing domain             -   Address is a known ‘bad’ address (e.g., location of a                 CNC server or malware server)         -   Single sign on used to access a resource or single sign on             attempted to be used for accessing a resource.         -   Enterprise content accessed or attempted to be accessed         -   App installed or app update installed         -   Operating system or firmware update applied         -   Device hard reset performed         -   Device booted into recovery mode         -   The locations of the mobile device         -   Recording the identifiers of nearby beacons, Wi-Fi SSIDs or             BSSIDs, or Bluetooth identifiers, or other network related             identifiers         -   Switching off the mobile device         -   Switching on the mobile device         -   Removal and insertion of memory cards and sim cards         -   Use of sensors on the mobile device (part of device or             connected to device), such as biometric sensors,             accelerometer, gyroscope, magnetic sensor, proximity sensor,             temperature sensor, barometric sensor, etc.         -   Reading information from the /proc filesystem         -   Attempts to read or write information to normally protected             areas of a filesystem     -   Determine the level of risk based on the received messages

In one variation of the above, data has been sent that should not have been sent, and the amount of data and/or the frequency of such activity was unusual or inappropriate. The actual data that is sent is captured or inspected (or received). When inspecting such data, the administrator is notified of the findings.

In another embodiment, a population is managed in which the population includes mobile devices associated with an enterprise. The mobile devices have multiple diverse apps installed from multiple diverse channels and some of those apps are determined to be side-loaded apps (e.g., determined using evaluation server 150). In one example, a use case relates to comparing a population of interest with a control population.

For example, one or more of the following actions are taken:

At the server (e.g., evaluation server 150):

-   -   Measure the proportion of mobile devices hosting an app         downloaded from an untrusted channel     -   Compare the measured proportion with similar proportions         reported for another population of mobile devices         -   If the measured proportion is sufficiently greater than the             reported proportion:             -   Send a notification of the measured proportion and the                 reported proportion to an administrator (e.g., admin                 server 302)             -   Receive a determination of the level of risk from the                 administrator.             -   If the determined level of risk is higher than an                 acceptable level of risk:                 -   Revoke access to enterprise resources for all of the                     mobile devices hosting the app that was downloaded                     from an untrustworthy channel                 -   Send a message to each of the mobile devices hosting                     the app downloaded from the untrusted channel                     indicating that the devices are in an ‘untrusted’                     state                 -   Send instructions to each of the mobile devices for                     presentation to the user                 -   Send instructions to the mobile devices per the use                     case 2.1 discussed in detail above.

In another embodiment, a determination is made of the channel or other source for an application. In one example, a use case 6.1 relates to a value obtained from an operating system (OS) for determining a channel ID, if the ID is available. If a channel ID is not available, a channel is determined from network and/or file system activity by monitoring file system changes.

For example, one or more of the following actions may be taken:

At the mobile device:

-   -   Monitor for changes in the file system     -   Detect a file being written which represents an application         (e.g., .apk, .ipa, etc.)     -   Determine which application is writing the file to the file         system     -   Determine which network addresses are being read from by the         application that is writing the file to the file system     -   Assign a channel ID for the detected downloaded app based on the         active network address or the application which is writing the         file to the file system

In another example, a use case relates to determining a channel ID by monitoring network activity.

For example, one or more of the following actions may be taken:

At the mobile device:

-   -   Monitor network activity for applications     -   Detect a network transmission being read at the device which         represents an application (e.g., .apk, .ipa, etc.) (e.g., this         can be determined by an HTTP header Content-type header, or an         MIME type in the transmission (e.g.,         application/vnd.android.package-archive), or the detection of a         ‘magic number’ or file format signature)     -   Assign a channel ID for the detected downloaded app based on the         active network address from which the transmission containing an         application is coming.

At a network appliance (or server):

-   -   Monitor network activity for a mobile device,     -   Detect a network transmission being sent to the device which         represents an application (.apk, .ipa, etc.) (e.g., this can be         determined by an HTTP header Content-type header, or an MIME         type in the transmission (e.g.,         application/vnd.android.package-archive), or the detection of a         ‘magic number’ or file format signature)     -   Assign a channel ID for the detected downloaded app based on the         active network address from which the transmission containing an         application is coming.

In one embodiment, previous behavior associated with a side-loaded app on another phone is used to predict the same behavior based on the early indications on the subject phone.

In other embodiments, side-loaded apps are identified in various ways. In one embodiment, an origin of the app is identified, and a determination is made (e.g., by evaluation server 150) whether the app is still available in the version that is currently being assessed (e.g., when being considered for installation on mobile device 149).

For origin detection, some things can be done in advance; for applications that are still available, a server checks corpus or a known App Store to see if the app still available there, or if a more recent version of the same app (e.g., as determined by similarity analysis as discussed herein) is now available, or if the version currently being analyzed is no longer available.

In some embodiments regarding origin detection, when a channel ID is not otherwise obtainable, a system may determine a source or channel ID by observing activity in a device's network connections or browser activity or file system operations. E.g., code that executes within a browser (such as a browser extension or plugin or a built-in browser function) or code that is observing the browser's activity (e.g., via monitoring of Android intents, or IOS protocol handlers, or via a network intercept on a device, such as for example a network shim or adapter or VPN or in a network appliance). Such code can detect that an app (e.g., an .apk or .ipa or other app packaging file format) is being downloaded (e.g., looking at a URL for source, or looking at HTTP header Content-type (e.g., application/vnd.android.package-archive for an Android APK, or application/octet-stream for an iOS IPA file); or seeing how the file name is represented in headers if present to see that a .apk or .ipa application file type is being downloaded). An app whose download is detected in this manner can be determined to be from a source or channel ID of the network location or URL used for the download.

In one embodiment, it may be detected whether an app download is via a client pull request or a web App Store push request, or an MDM app push request.

In one embodiment, an app has the same hash as a version from a known source, but is not delivered via that source. For example, an app is delivered via USB or Bluetooth (BT) or another peripheral form of communication (e.g., an Android USB ADB interface). Or an app is or was delivered by some other app (e.g., a third-party App Store app).

In one embodiment regarding post-installation detection for an application, a server or other computing device determines a source of the application by visiting/going to a plurality of well-known app stores, and seeing if an app with the same hash is available for download there (e.g., this can include an enterprise App Store or an MDM controlled store). Alternatively, one can use a cache of such info obtained previously from these source(s) (e.g., at a security company server); and determine that (i) an app with this hash is available there now; or (ii) an app with this hash is not available there now, but was available there in the past; and/or (iii) a newer version of the app (e.g., as determined by component analysis and/or similarity analysis as described herein) is now available there. Also, in some cases, the same app can have been available from multiple sources.

In one embodiment, for reports to administrators or other enterprise reports, it is determined whether this app is present on any other devices for the enterprise (e.g., mobile devices managed by admin server 302) plus numbers of devices and/or details of device activity, including present and/or historical. The prevalence of this app on any worldwide devices may be determined, including details of app or history or statistics of usage or behavior; and optionally determination of the prevalence among other enterprises' devices anonymized with optional classification of enterprise size and IR type (e.g., SAIC Code).

In one embodiment, high confidence (e.g., confidence determined to be above a threshold) findings can be reported to an admin server, including support for a correlation of the app presence with any of: network endpoints visited; other apps present on the mobile device; or any other metadata related to device or networks connected to the mobile device, or user or other metadata. Also, a server can track the origin as to what network(s) device the mobile device was connected to at the time of download, or the specific computing device/network through which the download to the mobile device was made.

In some cases, an app is preloaded on a device. It can be determined whether the app has been updated since the preload time (e.g., updated by an automatic update and/or a user-initiated update); and/or whether a firmware flash or OTA OS UPDATE has occurred.

In one variation, an indication is put inside the app (e.g., inserted by the developer, such as by a developer server, into or with the code of the application) of an intended channel for delivery. The app should not show up with a different channel ID having been determined after analysis (e.g., by evaluation server 150). Otherwise, the app is considered to be from a bad source or untrusted.

In one embodiment, a change in the assessment of an app (e.g., as being benign, or malware, or other) may trigger a change in the assessment of a channel (e.g., the channel through which the app was distributed). For example, if a channel had been hitherto determined to be unknown (vs. trusted or untrusted), then the channel assessment may be altered to trusted or untrusted.

Evaluation and Monitoring of Applications Installed on Computing Devices

As described in more detail below, a user may express an intent as to how the user desires its computing device (e.g., mobile device 149) to behave. The intent may be explicitly provided by the user or may be otherwise determined (e.g., by reference to a database on a remote server). In one embodiment, the user's intent defines how the user wants to control receiving of certain types of messages (e.g., advertisements). The type of control desired by the user in its various forms of experience on a computing device (e.g., a mobile device 149) is expressed in the user's intent. This intent may be used to determine various behaviors of the computing device. For example, some undesired behaviors may be stopped by disabling various components of one or more applications that have been previously installed on the user's mobile device.

In one embodiment, the system of FIG. 1 may be used for control of behavior on computing devices or for analysis of software components, each as described herein, in which user terminals and mobile devices, or other computing devices communicate with a messaging server and/or application marketplace 123, or with an identity provider (some examples of an identity provider were discussed above), according to various embodiments as described below. In FIG. 1, the user terminals (e.g., 141, 143, . . . , 145) and/or mobile devices 147, 149 are used to access and/or communicate with evaluation server 150, an identity provider, application marketplace 123 (e.g., an Android or Google Play marketplace), and/or a messaging server (e.g., an email server) (not shown) over communication network 121.

A server (e.g., evaluation server 150 or administrator server 302) receives at least one behavioral preference of the user from mobile device 149, and the at least one behavioral preference is determined by the application based on input from the user. The server stores the at least one behavioral preference for later uses such as responding to queries from other computing devices regarding the intent of the user of mobile device 149. In one embodiment, the server is independently maintained by each of many ad networks. The Ad Network Detector as discussed herein may manage these behavioral preferences on behalf of a user for these networks. In an alternative embodiment, an identity provider (e.g., such as was discussed above) includes a database, which stores component identities and user policies.

In one embodiment, an application referred to herein as “Ad Network Detector” may be downloaded from the Google Play service onto a user's mobile device 149. The expressing of user intent and control of behavior for mobile device 149 as described below may be incorporated into or otherwise work in conjunction with the Ad Network Detector application.

The Ad Network Detector application scans a user's phone or tablet for the presence of ad networks used in mobile apps, giving the user information about what types of ads can be displayed, and what information is gathered by the ad networks. With access to this information, the user is able to decide whether to keep the application that has a particular ad network on the user's phone.

Mobile device (e.g., smartphone or tablet) usage has increased dramatically, and some advertisers have begun to experiment with aggressive, new techniques to display ads on mobile devices. These techniques include pushing ads to the standard Android notification bar, dropping generically designed icons on the mobile desktop, and modifying browser settings like bookmarks or the default homepage. Because each of these techniques can display an advertisement outside the context of a specific application, it's difficult for users to know exactly which app is responsible for any given ad. The Ad Network Detector application provides a method for users to determine which ad network and application are the source for such ads.

Some ad networks also collect information that identifies a specific device or user for use in targeted marketing campaigns. Much like for browser-based ads, this practice allows users to see more personalized or relevant ads. It is sometimes difficult for a user to know what aspects of the user's information are collected by ad networks. The capabilities and information collection methods specific to each ad network may be determined from investigation. The Ad Network Detector application informs the user what data is being collected, and by which ad network/application.

In this embodiment, the Ad Network Detector application provides information to the user to about practices supporting mobile advertising. The application may detect many ad networks.

Regarding ad network capabilities and privacy, in this embodiment the capabilities and information collection methods specific to each ad network may be investigated. Based on this investigation, the Ad Network Detector application details what identifying information is collected by each ad network, and how it is collected. This may include personal information directly linkable to an individual user, such as an email address, and device and network information that is specific to an individual device or network, rather than to the user.

In one embodiment, a screen is presented by an installed application (e.g. the Ad Network Detector application after installation from application marketplace 123) to a user on a display of mobile device 149. In this embodiment, a user expresses his or her intent to control behavior of application components on mobile device 149.

In one example, a BTController application has previously been installed on the mobile device 149 by the user, among numerous other user-installed applications. The BTController includes an advertisement network component having several behaviors. A first behavior is the display of advertisements in the notification bar of mobile device 149.

In this embodiment, the components of each application (e.g., BTController) previously installed on mobile device 149 are determined (e.g., determined by an application or another tool installed on the mobile device for that purpose). For example, a scan to determine these components may be initiated by the user by her clicking on or touching a start scan button of a user interface.

An example of a component to be identified is the LeadBolt advertising network included in the BTController application. In addition, at least one behavior (e.g., displaying of ads in the notification bar) associated with each of the components for an installed application is identified.

The identified behaviors are presented to the user (e.g., in a list of scan results). At least one behavioral preference expressing the intent of the user is determined (e.g., a desire of the user to opt out of a particular behavior). This intent is then implemented on the mobile device by reconfiguring the identified components of various applications on the mobile device as necessary to conform to the user's expressed intent.

In one embodiment, a status display presented to the user by the installed application that indicates the status of analyzing applications on the mobile device 149 (i.e., other applications that are installed on the mobile device) to identify their respective components, according to one embodiment. An extent of progress of the analysis or scan is indicated by a bar.

In one embodiment, a set of results is presented to the user from the analyzing of the applications on the mobile device 149. The results include a list of behaviors identified. For example, one behavior is the display of ads in the notification bar of the mobile device. The number of applications identified that include a component exhibiting the listed behavior is indicated in vertical arrangement or column.

For example, only one application was identified that includes a component exhibiting this behavior. Two applications were identified that include a component exhibiting a different behavior. In contrast, zero applications were identified including a component that exhibits yet another behavior. It should be noted that the count, in this implementation, refers to the number of components that exhibit a particular behavior. This count (or an additional count) in other implementations could reflect the number of applications that exhibit the behavior. Any given component may be present in several different applications, so these two counts are not necessarily equal.

In one embodiment, a screen presents information about an advertisement network (LeadBolt) incorporated in an application (BTController) installed on mobile device 149. The screen includes a description of the behavior associated with the application.

In one embodiment, a screen presents an opt-out button for the user to opt out of the advertisement network. The screen includes a description describing an opt-out option for the advertisement network. The user expresses her intent by clicking on or touching (e.g., on a touch screen) opt-out button.

In one embodiment, the user's intent may be stored locally in a memory of mobile device 149. Alternatively, this intent may be stored remotely on a different computing device such as a server (e.g., a server operated by the software developer of the Ad Network Detector discussed above) accessible via communication network 121. This server may also be accessible by third-party application developers in order to conform behaviors to intents previously expressed by respective users. In another embodiment, this server is operated by the owner of the component.

Various other embodiments are now described below. In a first embodiment, a computer-readable storage medium stores computer-readable instructions (e.g., instructions of an Ad Network Detector), which when executed, cause a computing device (e.g., a mobile device of a user) to, for an application installed on the mobile device of the user, determine components of the application; identify, via at least one processor of the mobile device, at least one behavior associated with each of the components, including a first behavior (e.g., ad display in a notification bar) associated with a first component; present results from the identifying to the user, the results to include a list of behaviors including the first behavior; and receive a selection from the user of at least one behavioral preference. Further information regarding determining the components of an application is discussed in greater detail below in the section titled “Analyzing Components of an Application”.

In one embodiment, the at least one behavioral preference is selected from the group consisting of: opting out of the first behavior; opting out of one or more of the components including the first component; a set of user preferences for specifically-identified behaviors; and a policy. In one embodiment, the at least one behavioral preference is a policy, and the policy is enforced on new applications installed on the mobile device. In one embodiment, the first component enables the user to selectively opt out of individual behaviors of the first component.

In one embodiment, the selection from the user of at least one behavioral preference is to opt out of the first behavior, and the instructions further cause, after the opting out, running the first component to determine whether the first behavior is active. In one embodiment, the determining whether the first behavior is active comprises at least one activity selected from the group consisting of: running the first component in an emulated environment on a different computing device (e.g., a developer server); and monitoring behavior on the mobile device after receiving the selection from the user.

In one embodiment, the selection from the user of at least one behavioral preference is to opt out of the first behavior, and the instructions further cause, after the opting out, determining a status of the opting out using an application programming interface of the first component. In one embodiment, the instructions further cause the mobile device to, in response to the selection from the user, reconfigure execution of the first component so that the first behavior no longer occurs on the mobile device.

In one embodiment, the instructions further cause, in response to the selection from the user, uninstalling the application from the mobile computing device. In one embodiment, the instructions further cause, in response to the selection from the user, disabling further execution of the first component on the mobile device. In one embodiment, the first component is shared by the application and an additional application, and the disabling affects both the application and the additional application.

In one embodiment, the first behavior is a presentation of messages to the user. In one embodiment, the messages include at least one advertisement presented in a notification area of the mobile device. In one embodiment, the presentation of messages is outside of a context of the application presented to the user during normal operation of the application. In one embodiment, the first component is a part of the application.

In one embodiment, the instructions further cause displaying opt-out options to the user, wherein the opt-out options are solely for applications already installed on the mobile device. In one embodiment, the instructions further cause displaying opt-out options to the user, the opt-out options comprising all possible opt-out flows for the user on the mobile device as determined from a database. In one embodiment, the first component is a linked library packaged with the application prior to installation of the application on the mobile device.

In one embodiment, the mobile device is, for example, a tablet device, or an Android phone device. In one embodiment, the first component is a portion of the executable code of the application, and the executable code enables the application to interact with an advertising network or an analytics network. In one embodiment, interaction with the advertising network comprises display of advertisements provided from the advertising network.

In one embodiment, a non-transitory computer-readable storage medium stores computer-readable instructions, which when executed, cause a computing device to: for an application installed on a computing device of a user, determine components of the application; identify, via at least one processor, at least one behavior associated with each of the components, including a first behavior associated with a first component; and determine at least one behavioral preference of the user.

In one embodiment, the instructions further cause storing the at least one behavioral preference on the computing device so that the application can locally determine the at least one behavioral preference. In one embodiment, the instructions further cause the first component to evaluate the at least on behavioral preference to determine how the first component is to behave on the computing device.

In one embodiment, the instructions further cause storing the at least one behavioral preference on a different computing device so that an advertisement network associated with the first component can query the different computing device (e.g., a developer server) in order to determine the at least one behavioral preference of the user. In one embodiment, the instructions further cause the first component to execute in conformance with results from the query of the different computing device, wherein the query includes a user identifier of the user.

In one embodiment, the instructions further cause: in response to downloading or installing the application, scanning the application to confirm compliance with the at least one behavioral preference of the user; and if the application violates the at least one behavioral preference, alerting the user of the violation or blocking installation of the application.

In one embodiment, a system comprises: a display; at least one processor; and memory storing instructions configured to instruct the at least one processor to: determine components of an installed application; identify at least one behavior associated with each of the components, including a first behavior associated with a first component; present, on the display, at least one component of the installed application for which a user can opt out; and receive a selection from the user of an opt-out for a first component of the at least one component.

In one embodiment, the instructions are further configured to instruct the at least one processor to present an opt-out status to the user for components for which the user has previously opted out.

In one embodiment, a method includes: for an application installed on a computing device of a user, determining components of the application; identifying, via at least one processor of the computing device, at least one behavior associated with each of the components, including a first behavior associated with a first component; presenting, on a display of the computing device, results from the identifying to the user, the results to include a list of behaviors including the first behavior; and receiving, via a user interface of the computing device, a selection from the user of at least one behavioral preference.

In one embodiment, a method includes: storing, in a memory (e.g., a memory of the developer server), a first application (e.g., the Ad Network Detector application) comprising computer-readable instructions, which when executed, cause a mobile device of a user to: determine components of a second application (e.g., BTController application) installed on the mobile device; identify at least one behavior associated with each of the components, including a first behavior associated with a first component (e.g., LeadBolt component); and determine at least one behavioral preference of the user; and sending, via at least one processor (e.g., microprocessor(s) of the developer server), over a communication network, the first application for storage in a data processing system (e.g., application marketplace 123) for subsequent installation from the data processing system onto the mobile device.

In one embodiment, the method further comprises communicating, via the at least one processor, with the first application after installation of the first application on the mobile device. In one embodiment, the data processing system comprises an application marketplace. In one embodiment, a network operator (e.g., Verizon or AT&T) controls the data processing system, and the mobile device is configured to operate with a cellular network operated by the network operator.

In one embodiment, a system (e.g., a developer server) comprises: at least one processor; and memory storing a first application, which when executed on a mobile device of a user, causes the mobile device to: determine components of a second application installed on the mobile device; identify at least one behavior associated with each of the components, including a first behavior associated with a first component; and determine at least one behavioral preference of the user; and the memory further storing instructions configured to instruct the at least one processor to send the first application to a data processing system (e.g., application marketplace 123) so that the first application can be later installed, over a communication network, on the mobile device from the data processing system.

In one embodiment, the instructions are further configured to instruct the at least one processor to communicate with the first application after installation of the first application on the mobile device.

In one embodiment, a method includes: communicating, via at least one processor (e.g., a processor of a software server), with an application (e.g., the Ad Network Detector application) executing on a mobile device of a user, the application identifying at least one behavior on the mobile device, the at least one behavior associated with each of a plurality of components of a plurality of other applications installed on the mobile device, and the at least one behavior including a first behavior associated with a first component; receiving at least one behavioral preference of the user from the mobile device, the at least one behavioral preference determined by the application based on input from the user; and storing, in a memory (e.g., storing in a database distributed among multiple database servers), the at least one behavioral preference.

In one embodiment, the method further comprises storing the at least one behavior. In one embodiment, the method further comprises receiving a query from an advertisement network, associated with the first component, the query requesting the at least one behavioral preference of the user. In one embodiment, the method further comprises receiving, from the mobile device, an identification of the first component; and running, via the at least one processor, the first component in an emulated environment to determine whether the first behavior is active.

In one embodiment, the method further comprises receiving a query regarding the at least one behavioral preference in order to determine conformance of a new application with the at least one behavioral preference. In one embodiment, the method further comprises providing information in response to a request, received over a communication network, in order to evaluate the at least one behavioral preference and determine how the first component is to behave on the mobile device.

Additional exemplary, non-limiting details regarding various implementations of the above embodiments are now described here below. In one example, a user may opt-out of specific components (e.g., as determined using the approaches described herein). The user is presented a list of components that the user can opt out of. The user may perform opt-out actions, or these may be done automatically upon user request or selection. Then, the user may see (e.g., on a display of a mobile device) a status indication that the user has opted out of identified components.

In one embodiment, there are various types of opt-out options. For example, a user may opt-out entirely of a component, opt-out of particular behaviors of a component, opt-in entirely to a component, opt-in to particular behaviors of a component, purge some or all data collected by a component, reset an identifier used to identify the user or device to a component, or otherwise modify the component's behavior on the device or the data transferred to or from the component on the device.

In one embodiment, opt-out options may be displayed to a user (e.g., on a display of a mobile device) using various approaches. In a first approach, this is done by detecting which components are present in installed applications on a mobile device, and then only displaying opt-out flows for the applications are installed on the mobile device. In a second approach, input is received from a user as to which behaviors the user wishes to opt out of. In a third approach, all possible opt-out flows, as determined from a database, are presented to the user.

In one embodiment, a user selects a degree of functionality within a range from minimum optional functionality to maximum optional functionality and a mobile device automatically translates that into actions to opt in and/or out of automatically-selected behaviors.

In one embodiment, a status for opt-out may be determined in various ways. A first way uses an API provided by the vendor or developer of the component to determine the opt-out status. A second way determines whether behavior is still active by running the corresponding component (e.g., in an emulated environment on a server or by monitoring behavior on the user's mobile device).

In one embodiment, a user declares preferences for specific behaviors desired on the user's mobile device. The components themselves evaluate these declared preferences in order to determine how the components should behave on the user's mobile device.

For example, the user may set its preferences, and then these preferences are stored locally or on a remote server (e.g., a developer server). A component queries these preferences (e.g., by sending a query) in order to determine how the component should behave (or is required to behave by the mobile device or another computing device).

In one embodiment, various types of preferences that can be set by the user relate to the following: location collection for targeted ads, notifications in a notification area of the user's device, planting of bookmarks or icons on a device, and app tracking used to deliver targeted ads (e.g., related to determining what apps a user has installed).

In one embodiment, various methods may be used for storing the users preferences. In a first approach, a local service on a device is used, whereby applications can query the local service to determine what preferences a user has set.

In a second approach, a server-side service permits ad networks to query a user's preferences based on a user identifier (e.g., phone number, IMEI, Android ID, Apple UDID, or hashed/salted-hashed versions of them).

In another embodiment, preferences are declared for which behaviors a user desires. Automatic scanning or alerting is performed when an application that violates these preferences is downloaded or installed.

For example, upon installation, the mobile device detects which components are in an application, and determines the behaviors that are associated with components of the application. If any of these behaviors are disallowed, or require an alert, the mobile device may either block the application from installing (or notify the user to uninstall the application), or may alert the user that the application contains a disallowed behavior in one of its components.

Now discussing additional non-limiting examples, there are various mechanisms that a user can use to express his or her intent. One example is an affirmative opt-in or opt-out for specific behaviors. For example, a user may say she does not want a specific component to track her location, or she does not want Google analytics to know certain information about her. Another might be that the user sets a preference indicating the desire that the user does not want any third party components to have access to or view the user's location data.

In another example, an application policy may be implemented. For any app that has a component that performs an unidentified behavior, the Ad Network Detector will block the app from being installed on the user's phone or other device. These are behavior-based preferences that are manifested in the prevention of installation for any applications that may contain components that express such behaviors.

In one example, when an application is running on a user's phone, it should ask a preference service or a preference store (e.g., implemented on a software developer server) what the preference is for the user and then respect that preference during execution. Information about user preferences for many users may be made available in a single online location so that a component can query and respect the preferences.

Regarding determining the components that are present in an application, the application can be identified and broken into components. After identification, there are various techniques that may be used to determine the behavior of those identified components. In some cases, structural comparisons of the call graphs of components in an application may be examined (e.g., determining which component is talking to the operating system of the mobile device, and which aspects of the operating system are involved). Other forms of static analysis may also be used that involve analyzing the code inside of a component. By analyzing the code, it can be determined whether the component can obtain a user's location, for example, or perform other functions. In one example, a knowledge base may be maintained that includes a list of components that are commonly distributed online and the corresponding behaviors of those components.

Also, dynamic analysis may be used, which is essentially running the application component in an emulated environment or on an actual device and detecting what is occurring (e.g., what services the component connects to or communicates with) on a computing device to determine whether a component has a particular behavior. Additional details regarding determination of components and component attribution are provided in the section below titled “Analyzing Components of an Application”.

In one example, the user may be presented with a screen that shows the applications installed on the user's device or the behaviors on the device (or even the full set of all behaviors that are possible on the device, even outside of the apps that the user has already installed on the device) and what applications/components the behaviors are attributed to.

In one example, a user can opt out of specific components. The user may be shown which components are on already her phone, or the user can say she does not want a certain type of behavior, and the Ad Network Detector only shows the user the specific network opt-outs that involve that behavior.

In another example, the user has expressed her preferences regarding behavior. An online preference service stores these preferences, and components are required to query the service prior to installation on a mobile device of the user. The service may be implemented on the mobile device, or on a separate server.

Analyzing Components of an Application

Various additional embodiments related to component analysis and attribution (e.g., identifying and determining components of an application) are now set forth below. The embodiments below do not limit the generality of any embodiments in the foregoing description.

In one embodiment, an application is a mobile application, which contains one or more components (e.g., a library, ad network or analytics software development kit (SDK), or other set of code designed to work together). A component identity is information about a component. Examples of component identities include the following: a category (e.g. ad network, analytics, and malware SDK), authorship (e.g. Acme, Inc., John Smith), name of a component (e.g. “AdMob”), a range of versions or all versions of a component (e.g. AdMob 6.x, AdMob, zlib), and a particular version of a component (e.g. zlib 1.2.7, AdMob SDK 6.0.1). The data associated with a given component may be stored in a database.

In one embodiment, a component's behavior is generally that behavior existing or occurring (e.g., functions performed) when a component is functioning on a computing device (e.g., functioning in an application running on mobile device 149). One example of a behavior is the sending of certain types of data to a server (e.g., sending browser history to a server at www1.adcompany.com, or sending a location to a server at tracking.analyticscompany.net). Other examples include the following: accessing data on a computing device (e.g., contacts, call history); and performing certain functions on a device (e.g., changing brightness of a screen, sending a text message, making a phone call, pushing advertisements into a notification bar).

In one embodiment, a component's structure is how a component is implemented in code. This structure may include a code package and/or a code module structure. Also, a component's structure may include characteristics of the executable code of the component, such as for example, cross-references in a control flow/call graph, references to static data, and machine instructions used.

Various further embodiments related to component analysis are now described below. In a first embodiment, a non-transitory computer-readable storage medium stores computer-readable instructions, which when executed, cause a system to: for an application installed on a computing device (e.g., mobile device 149) of a user, determine components (e.g., components 104 and 106) of the application; and identify, via at least one processor, at least one behavior (e.g., sending device location to an ad server) associated with each of the components, including a first behavior associated with a first component. The instructions may cause the system to present, on a user display of the computing device, an identification of the components. The instructions may cause the system to determine at least one behavioral preference of the user.

In one embodiment, the instructions cause the system to store a user policy (e.g., user policy 108 or one of policies 116) based at least in part on the at least one behavioral preference (e.g., user intents expressed by the user on a mobile device), and to enforce the user policy on new applications installed on the computing device.

In one embodiment, the instructions cause the first component to execute in conformance with results from a query of an identity provider (e.g., the identity provider as described earlier above, or another computing device). The instructions may cause the system to, in response to installing the application, scan the application to confirm compliance with a user policy of the user, where the user policy is stored on the identity provider. In one embodiment, the instructions may cause the system to enforce, based on identified behaviors associated with the components, a user policy for each of the components.

The instructions may cause the system to compare permissible behaviors in the user policy for the components with the identified behaviors. In one example, the comparing of the permissible behaviors comprises determining behaviors, observed for the components on other computing devices, from a data repository (e.g., a database). The instructions may cause the computing device to, in response to the determining the behaviors from the data repository, configure or disable execution of one or more of the components on the computing device.

In one embodiment, a system includes: a data repository (e.g., a database) storing component data for known components, the component data including data for a first known component; at least one processor; and memory storing instructions, which when executed on a computing device, cause the computing device to: for a new component in a first application for a computing device of a user, perform a comparison of the new component to the component data; and based on the comparison, make a determination that the new component corresponds to the first known component.

In one embodiment, the instructions further cause the computing device to, in response to the determination, perform at least one of: comparing a first known behavior of the first known component to a user policy of the user; and comparing an observed behavior of the new component to the user policy. In one embodiment, the component data includes component identities, each component identity corresponding to respective identifying information for a known component. In one embodiment, the determination is made prior to installing the new component on the computing device.

In one embodiment, the instructions further cause the computing device to associate a similarity value (e.g., a value within an arbitrary range of zero to one) with the comparison, and wherein the determination is made in response to the similarity value being greater than a threshold value. In alternative embodiments other forms of comparison of the similarity value to a threshold may be done (e.g., where the similarity value is lower than the threshold). In one embodiment, the comparison is based at least in part on a structure of the new component, the structure selected from the group consisting of a packaging structure, a module structure, and an executable code structure.

In one embodiment, the component data includes known structural characteristics and known behavioral characteristics. In one embodiment, the performing the comparison comprises comparing the known structural characteristics and the known behavioral characteristics to identified characteristics of the new component.

In one embodiment, the instructions further cause the computing device to generate a notification when the identified characteristics are determined to differ from at least one of the known structural characteristics and the known behavioral characteristics. In one embodiment, the generating the notification comprises sending an alert to the computing device.

In one embodiment, a method includes: storing, in memory, component data for known components, the component data including data for a first known component; for a new component in a first application for a computing device of a user, perform, via at least one processor, a comparison of the new component to the component data; and based on the comparison, make a determination that the new component corresponds to the first known component.

In one embodiment, the new component is selected from the group consisting of code from the first application, and a library in the first application. In one embodiment, each of a plurality of different applications includes the new component, the new component corresponds to a set of behaviors when executed on a computing device, and the component data comprises behavioral data including the set of behaviors.

In one embodiment, the method further comprises associating the set of behaviors with the new component. In one embodiment, each of a plurality of computing devices has been observed when running a respective one of the different applications, and each of the plurality of computing devices exhibits the set of behaviors. In one embodiment, the determination is based in part on a context of operation of the new component on the computing device.

In one embodiment, the context is an accessing, during execution of the first application, of location information while the first application has a visible presence to a user (e.g., the first application is presenting location information to the user on a user display), and the set of behaviors includes determining a location of the computing device. In one embodiment, the component data includes a plurality of contexts each associated with at least one acceptable behavior. In one embodiment, the component data includes risk scores for known components, and the method further comprises providing a risk score in response to a query regarding an application installed or to be installed on the computing device of the user.

In one embodiment, a method comprises: storing, in memory, a first application comprising computer-readable instructions, which when executed, cause a mobile device of a user to: for a new component of a second application installed on the mobile device, perform a comparison of the new component to component data for known components, the component data including data for a first known component; and based on the comparison, make a determination that the new component corresponds to the first known component; and sending, via at least one processor, over a communication network, the first application for storage in a data processing system for subsequent installation from the data processing system onto the mobile device.

In one embodiment, a system includes: at least one processor; and memory storing a first application, which when executed on a mobile device of a user, causes the mobile device to: for a new component of a second application installed on the mobile device, perform a comparison of the new component to component data for known components, the component data including data for a first known component; and based on the comparison, make a determination that the new component corresponds to the first known component; and the memory further storing instructions configured to instruct the at least one processor to send the first application to a data processing system so that the first application can be later installed, over a communication network, on the mobile device from the data processing system.

Now discussing a component analysis process for one particular embodiment, a new application may be decomposed into identifiable components. An identity of each component may be displayed to the user. Behavioral and/or structural characteristics attributable to each component identity may be identified. The behavior for a given component may be displayed to the user.

A user policy (e.g., user policy 108) based on component behavior may be enforced on the user's computing device. For example, the user policy may require that there be no applications that send location to an advertising network. In another example, the user policy may require that no applications send identifiers to an advertising network.

Behavioral and/or structural characteristics of a component present in the new application may be identified. This may be, for example, an application 1013 that has been installed on mobile device 149.

A comparison is made between the characteristics attributable to the component identity and the characteristics that have been identified in the new application. In one embodiment, if the identified characteristics are different from the characteristics attributable to the component identity, then an alert is generated to indicate that the behavior of the component has changed. The characteristics attributable to the component identity may be stored in a database of the identity provider and may be accessed when making this comparison. For example, these attributable characteristics may be stored as component data associated with respective component identities (i.e., known data regarding component behavior or other characteristics of a component may be stored for each component identity).

Now, further detail regarding how component analysis is performed is described below. As mentioned above, an application is decomposed into identifiable components. In particular, a data repository stores a set of component identities in a database.

Each component identity has identifying information for a given component that, if present in an application, indicates that the given component is present in the application. Examples of identifying information include the following: a package name prefix for a set of one or more classes, a class name, or a code fingerprint of a code block, method, class, package, etc.

When used, fingerprinting can be performed in a variety of ways. A first way is the creating of an abstract representation of an instruction set. Another way is to, from an abstract representation, create a set of n-gram indices that can create a fingerprint identifier for a set of code (e.g., a hash of indices) or that can be compared to another set of indices to perform a fuzzy match. In yet another way, asset or resource fingerprinting may be used. As a final way, fingerprinting may be done by analyzing the network traffic generated by an application on a device or in a dynamic analysis system. Server communication, network traffic destined to a server, may be used to associate a component with a particular network service. Some examples of network traffic include traffic to server with name server1.somewhere.com, traffic to server with IP 8.8.8.8 or 2001:4860:4860::8888, HTTP request with header “User-Agent: MyHttpLibrary-1.1”, HTTP request with a particular URI or URI pattern, and traffic that matches a SNORT or YARA rule.

Analysis of a new application can be used to determine if identifying information for a given component identity matches the new application. If it matches, then the given component is present in the new application. This analysis can be done at the client (e.g., mobile device 149), the server (e.g., the identity provider discussed above), or using a combination thereof.

In one embodiment, the analysis is done at one computing device (e.g., either on the client or the server). The database of identifying information is stored locally on the computing device. The new application is also present locally (e.g., the new application itself has been previously sent to the identity provider from mobile device 149, or from application marketplace or developer server prior to installation on mobile device 149).

In this embodiment, there are multiple options for analysis. In a first option, for each item of identifying information in the database, the new application is searched to determine if the identifying information matches the new application. Alternatively, information can be extracted from the new application, and then a check or comparison done to see if that information matches any of the identifying information stored in the database.

In another embodiment, a client submits information to a server to determine components that are present in an application. The database of component identifying information (known component data) is stored on the server. The application is present on the client. The client extracts information (e.g., component identifying information) from the application, and then sends this extracted information to the server.

The server checks to see if the extracted information matches any of the identifying information in the database (e.g., the extracted information may be received as a query from mobile device 149). If so, the server sends back information about component identities to the client (e.g., the server sends results from the query to mobile device 149).

In a different embodiment, the client submits an identifier for the new application to a server. This identifier may be, for example, a hash of the application binary code, a package name, a title of the application, or another form of application identifier. This server stores data regarding previously-analyzed applications. This data includes a list of components for each of the previously-analyzed applications. In yet other embodiments, the application information is gathered from an application store or marketplace, or from another device different from the client (e.g., where the application is not installed on a client, but is stored within an application store for downloading and installation, or is being staged for placement into an application store).

The server of the different embodiment above uses the identifier received from the client and compares this identifier to the data regarding previously-analyzed applications. If there is a match between the identifier and a previously-analyzed application, then the components for that matched application (obtained from the stored list of components above) are determined to be in the new application (and this result may be sent to the client). This matching to the database may be done similarly as was described earlier for the component analysis above. The server of the different embodiment above sends information about these identified component identities back to the client.

After a component has been identified as being present in an application, the identity of the component may be displayed to the user. For example, identification and display of components present in an application may be done similarly as was described above for the Ad Network Detector. Behavioral and/or structural characteristics that are attributable to a given component as stored in the database for various component identities may be sent from the server to the client for those components that have been identified as being present in an application.

In one embodiment, there are various ways to identify characteristics that are actually present in a component of an application. In one embodiment, a method gathers information from an application on a mobile device for further processing at a server. According to this embodiment, information that has been gathered is then used for component analysis at the identity provider (discussed above) in order to identify characteristics of a component.

In another embodiment, behavioral characteristics may be determined or collected using other approaches. For example, behavior may be determined based on network traffic (e.g., SMS, IP) data, or based on the code source of a given behavior (e.g., a class name or a package name responsible for geo-locating, or a fingerprint of a code segment responsible for sending SMS traffic).

In one embodiment, component identity-attributable characteristics are compared to actually-present characteristics (e.g., as gathered for a new application just installed on a mobile device). For example, if behavior is part of the known data for a component identity, and a new application's component behavior matches this known behavior, then it is assumed that information about the component identity applies to the new application. Information about the component identity may include, for example, a text description, risk scoring, and data whether an application is malware or is not malware. For example, this information may be provided as a result or response to a query from a mobile device.

If the actual behavior and the known behavior for the component identity are different, this may indicate that the component in the new application is a newer version or a tampered-version, and that the component needs to be reviewed again in order to update the database. Also, an alert may be generated based on the component information determined above. For example, an email may be sent to an analyst to do further analysis of a component, or an entry may be created in a work queue regarding further component analysis to be done.

In various other embodiments, the results from component identification for applications on a device are presented to the user. The user may provide input in a user interface to define or update a user policy based on this component identification. For example, the user may opt-out of an identified component.

In another embodiment, a component review process is provided for reviewing potentially undesirable code at scale (where manual review is not practical). The component analysis as described above is automated so that a human is not required to do component analysis manually. Characterizing components that have been previously reviewed (e.g., stored as data for a component identity with a risk score) and determining when that component has changed behavior (i.e., the actual behavior is different from the known behavior stored in the component identity) can create an automated process where humans only need to re-review component code when its behavior has changed. A behavior change may also be associated with a code fingerprint having changed slightly (e.g., if doing a fuzzy match, there is a threshold for which it is considered that there is no change, and another threshold for which it is considered that that there is a sufficient change in behavior). In various embodiments a comparison to a threshold may be done to see if a value is lower or greater than the threshold (which may include the cases of equal to or lower, or equal to or higher than the threshold). Similarly, other characteristics disclosed can be used to determine if the component in the new application exactly matches the known component or if it partially matches in a way that merits re-analysis.

Yet another embodiment relates to behavioral risk analysis of applications. In this embodiment, the component analysis involves separating identified components that have already been reviewed (i.e., components that have known component data stored in a database), and that are common across numerous different applications (or across copies of the same application) as installed on many computing devices, from components that are unique (e.g., an associated behavior has not been observed before) to a particular new application (e.g., behavior unique to a single, most-recent installation on mobile device 149). These unique behaviors are specifically audited within the context of the new application (e.g., application 1013).

As an example of context, it is common for ad networks to ask for location data. This is a well-accepted behavior. If a user is looking, for example, at a game like Angry Birds, an application that asks for a location may be exhibiting acceptable behavior if this behavior is associated with an ad network that has been previously observed as being acceptable (e.g., as determined from data stored in a database). However, in other cases, actual game code that is itself asking for location may be inappropriate behavior.

The amount of code that is unique to any given application is typically fairly small. Most applications (e.g., for mobile devices) predominantly use code that is in at least one or many other applications (the majority of code in an application is typically not unique and there is a lot of commonality in code between applications).

Sometimes, when a behavior is analyzed in the context of a known SDK, the behavior is a repeatable behavior that has previously been determined to be acceptable (or to have a low risk score). Thus, for example, if a library has already been reviewed, then further analysis can be skipped.

In an embodiment regarding similarity of known and new applications, fuzzy matching and fingerprinting may be used (as was discussed above). For example, a similarity score of zero to one may be used. A similarity score is returned from the server after analysis of a new application. The code in the new application is compared to code that is already in the identified component library (e.g., a library in a database on an identity server).

Typically, there is not an exact code similarity match because there are many changes that a compiler can make to a particular application installation to make it different than other installations. Similarities are defined so that if the differences are over a similarity threshold, then a determination is made that a known component is present in the newly-installed application. For example, the new application may include a slightly-customized version of a component (that was previously determined to be acceptable). In alternative embodiments other forms of comparison to a threshold may be done (e.g., where a value is lower than the threshold). In other cases, the new application may include a new version of a component that has not been previously analyzed. In one embodiment, unacceptable code that has been only slightly modified to defeat similarity protection mechanisms is instead detected as unacceptable based on behavioral observation and component analysis as discussed above.

In one embodiment, components are analyzed with respect to similarity of previously known components. Behaviors can include use of personal identifying information or device information, or any actions that can be taken by applications on the device, including user interface displays, notifications, network communications, and file reading or writing actions. Policies to control or restrict the behavior of applications and their components may be defined and applied. This can include the identification of advertising networks and defining policies to permit various opt-out actions for these advertising networks.

Assessing Application Authenticity

Various embodiments related to assessing application authenticity are now set forth below. In one embodiment, a method includes: evaluating (e.g., by a server or a mobile device) authenticity of a first application (e.g., software being downloaded to a mobile device) to provide a result, where the evaluating uses a plurality of inputs. In response to the result, an action is performed on the computing device.

In one embodiment, the result is a determination of a source of software. In another embodiment, the result is a state designation that is sent to evaluation server 150 for use similarly as described above for the administrator state designation. State designations from the authenticity server 1005 and the administrator server may both be used by server 150 in its determination of the state designation to send to mobile device 149.

In one example, the evaluating may be done by a server for an application that a user of a mobile device desires to install from an application marketplace. In one embodiment, the computing device is a server, and the action is sending a notification from the server to the mobile device, the notification including an assessment of authenticity of the first application.

In one embodiment, the computing device is a mobile device on which the first application is being or has been installed, and the action is providing of a notification in a user interface of the mobile device relating to an assessment of authenticity of the first application. In an alternative embodiment, the application may have been previously installed on the mobile device, but the user desires an evaluation of authenticity (e.g., to consider whether to remove the application from the mobile device).

In one embodiment, one or more of the plurality of inputs may be received from a distributor of the first application, an online application store, a carrier/operator/device manufacturer (e.g., for preloaded software on a mobile device), and/or from a computing device within an enterprise or an organization's internal network.

In one embodiment, the computing device is a server (e.g., authenticity server 1005), and the first application has a first package identifier and a first signing identifier, the method further comprising receiving the first package identifier and the first signing identifier from a mobile device on which the first application is being or has been installed. The first package identifier may be, for example, an Android package name, an Apple iOS bundle identifier, or a hash of such name or identifier, etc. The first signing identifier may be, for example, a certificate (e.g., a signing certificate, digital certificate, etc.), a certificate thumbprint, or a public key, or a hash of a certificate, a hash of a public key, or other data which can be used to identify the signer. In one embodiment, the method further comprises receiving the first application itself from the mobile device (e.g., for testing or other operation for evaluation by the server).

In one embodiment, the plurality of inputs comprises receipt (e.g., from a computing device of a developer of the first application) of a developer signing certificate for the first application, and the evaluating comprises comparing the developer signing certificate to the first signing identifier.

In one embodiment, the plurality of inputs comprises one or more of the following: receipt, from a computing device, of an indication of ownership in the first application by a developer (e.g., a developer of known or assumed credibility simply makes an assertion or claim to ownership in an electronic communication); a prevalence of the first application (e.g., the application is the most popular version that has been distributed and this version is assumed to be authentic); and a model (e.g., a model to predict expected characteristics associated with a first application and/or to assess observed behavior or characteristics for the first application). In one embodiment, the first application has a first signing identifier, and the plurality of inputs comprises a history of the first signing identifier.

In one embodiment, the method further comprises comparing a first signing identifier of the first application to a signing key in a registry of known signing keys. In one embodiment, the registry comprises a plurality of package identifiers, each identifier associated with a respective one of the known signing keys, and the method further comprises comparing a first package identifier of the first application to the plurality of package identifiers.

In one embodiment, the result from the evaluating is a score, and the performing of the action is conditional on the score exceeding a threshold (or other alternative forms of comparison to the threshold).

In one embodiment, the evaluating comprises: identifying a plurality of applications that are similar to the first application (e.g., using component analysis as discussed above); classifying the similar applications, based on a respective signing identifier for each application; and identifying, based on the classifying, applications having a signing identifier of a developer, and applications having a signing identifier that is different from the signing identifier of the developer.

In one embodiment, the method further comprises sending a notification to a computing device of the developer that identifies the applications having the signing identifier that is different from the signing identifier of the developer.

In one embodiment, the identifying the plurality of applications that are similar to the first application comprises identifying applications having at least one of an identical package identifier, code similarity, identical strings, similar strings, identical media assets, and similar media assets. In one embodiment, a server determines the similarity of newly-observed applications to a previously known-to-be authentic application (e.g., stored in a database at the server). In one example, this determination includes component analysis (e.g., comparison of known and new components) and/or application/component/code similarity assessment as was discussed earlier above. In another example, the server can notify the developer of the authentic application, or challenge the developer to authenticate itself as the actual application signer for the newly-observed application(s).

In one embodiment, the method further comprises receiving the signing identifier of the developer, sending data to the developer to be signed by the developer with a private key, receiving the signed data from the developer, and confirming the signed data corresponds to the signing identifier of the developer. For example, the data sent to the developer may be an archive or a nonce, or the data may be for the issuing of a crypto-based challenge to the developer.

In yet another embodiment, the first application may be examined in the context of known business entity databases (e.g., Equifax database, Dun & Bradstreet database, etc.) or other information sources, and information obtained from such sources may be used as one or more of the plurality of inputs in the evaluating of the first application. For example, these inputs may include: the company name as determined from a WHOIS response; the name of an owner of the IP space that the first application talks to (e.g., an inquiry can be made as to who owns the application server that the first application communicates with); the response to an inquiry as to whether the package name for the first application corresponds to a valid organizational domain name, and further whether that domain name's WHOIS name shows up in a business database; and the developer name as determined in an online application store such as Google Play.

In one embodiment, authenticity is assessed by a method in which mobile device 149 of a user communicates with authenticity server 1005 to evaluate the authenticity of new application 1013, for example which is being newly-installed on the mobile device (or alternatively has already been installed), according to one embodiment. In other embodiments, some or all of the authenticity functions described for authenticity server 1005 may be performed by an identity server.

Authenticity server 1005 receives from mobile device 149 a package identifier and a signing identifier associated with new application 1013. Authenticity server 1005 uses a plurality of inputs, such as are described herein, to evaluate the authenticity of new application 1013. This evaluation provides a result, for example a score indicating the risk of the new application being inauthentic. Based on this result, an action is performed by authenticity server 1005. If the score is above a threshold, the application may be deemed as being untrusted, or a state designation of untrusted may be sent to server 150.

In one embodiment, based on the above result, the action performed by authenticity server 1005 is implementation of a quarantine of the new application 1013. For example, the quarantine can be implemented as described in the section below titled “Quarantine of Software Based on Analysis of Updated Device Data”.

In one example, the action performed is the sending of a notification to a mobile device 149 in order to alert the user that the new application 1013 may be fraudulent or a tampered version. New application 1013 may have been provided, for example, to application marketplace 123 or directly to mobile device 149, by developer server 160, along with signing certificate 162. The developer server 160 also provides a package identifier for new application 1013. The signing certificate 162 is one form of signing identifier that may be provided to authenticity server 1005 for evaluation of application 1013.

Authenticity server 1005 has a database 1007 for storing information and data regarding applications, such as previously known or identified applications that are considered to be authentic. The authentic developer or other source of the application is stored in database 1007. Database 1007 further may include component data 1009, which corresponds to information about software components as was discussed earlier above. Database 1007 further may include repository 1003, which stores package identifiers and corresponding signing identifiers, for example such as collected or identified for previously authentic, known-good, or deemed good applications.

The evaluation of authenticity may alternatively be performed in part or fully on mobile device 149. If an inauthentic application is discovered, then the user of mobile device 149 may be notified on a display of a user interface. This notification may include an assessment of the authenticity of the new application 1013.

In one embodiment, authenticity server 1005 compares signing certificate 162 of the developer from the developer server 160 to an existing signing identifier contained in repository 1003. Authenticity server 1005, in one example, compares signing certificate 162 to a known, good signing key stored in repository 1003.

Various other non-limiting embodiments are now described below. In a first embodiment, authenticity server 1005 has a registry of known application signing keys and the package names they are registered for. If an application pretends to own one of those package names with a different signing key, a user is alerted that the application is likely tampered with. In some cases, authenticity server 1005 may also use similarity detection (e.g., similarity analysis as was discussed earlier above) to determine that, even if an application has a different package name, it is highly similar to another previously-known application, but has a different signer.

In one embodiment, all applications are identified that are similar to a given application (e.g., where the given application is being newly-installed on a mobile device). One or more of the following inputs may be used in evaluating the new application: whether applications have the same package name, code similarity between the applications, similar or identical strings (especially strings that occur infrequently) between new and known applications, and similar or identical media assets (e.g., images, sounds, video, etc.) between new and known applications. In some embodiments, similarity and/or component analysis as was discussed above may be used.

In one embodiment, applications that have been determined to be similar (e.g., as described above) are classified based on signing certificates, which are used to classify applications into two groups: applications with a given developer signing certificate, and applications with a different signing certificate. This classification is used for one or more of the following: identifying potentially pirated applications (e.g., for copyright enforcement); identifying potentially malicious applications; optimizing a sales strategy (e.g., such as identifying additional markets where an application could be sold); and managing release processes (e.g., identifying versions of an application that are sold in different markets).

In one embodiment, a workflow for establishing ownership of a signing certificate includes: a developer or other user uploads the certificate, then receives download of a jar (or Java archive), which the developer must sign to prove that it has the private key corresponding to the certificate. In one embodiment, the workflow is extended to allow a developer to manage multiple signing certificates.

In one embodiment, a workflow for discovering applications, based on proof of certificate ownership includes: a developer or other user proves certificate ownership, then authenticity server 1005 finds all packages signed with the same certificate, and also identifies similar applications, signed both by the same certificate and other certificates. In one embodiment, the workflow is extended to allow a developer to manage multiple signing certificates.

In an alternative embodiment, authenticity server 1005 provides monitoring and security services to Android or other system developers. These services determine developer identification (to confirm that the developer is who it purports to be). The services may include monitoring tools and/or anti-piracy functions. If the developer's application has been pirated and is being distributed in different markets, authenticity server 1005 notifies the developer.

In one embodiment, an assessment of privacy is provided by the services. This includes analyzing potential privacy issues in the application. Authenticity server 1005 may generate a privacy policy for the developer based on permissions provided by the developer. In one embodiment, a security assessment is provided by the services. Authenticity server 1005 analyzes potential security vulnerabilities and provides recommendations to the developer or other entity.

In one embodiment a system that checks for harmful behavior of an application to be installed on a mobile device is used. A server computer receives from the mobile device data pertaining to the application to be installed and information pertaining to the mobile device. The server processes the data and information to determine an assessment for the application to be installed. The assessment is provided to the mobile device and the assessment is displayed on the device if the assessment is one of dangerous and potentially dangerous. The data and information received from the mobile device may be used, for example, as one or more inputs in the plurality of inputs for evaluating the first application as described herein.

In one embodiment, a system provides advisement about applications on mobile devices such as smartphones, netbooks, and tablets. A server gathers data about mobile applications, analyzes the applications, and produces an assessment that may advise users on a variety of factors, including security, privacy, battery impact, performance impact, and network usage. Users are helped to understand the impact of applications to improve the experience in using their mobile device. A server feeds information about applications to other protection systems such as application policy systems and network infrastructure. Advisement about applications is presented in a variety of forms, such as through a mobile application, as part of a web application, or integrated into other services via an API. The data gathered by the server may be used, for example, as one or more inputs in the plurality of inputs for evaluating the first application as described herein. Also, some of the forms of advisement discussed may be used, for example, in providing notifications to the user and/or to developers or others regarding evaluations of software authenticity.

In one example, the context in which a signing certificate or other signing identifier or signing is observed is assessed using factors which may include one or more trust factors. These factors may, for example, be used in formulating a score that is compared to a threshold that is used to make a decision whether to perform an action in response to evaluating an application (e.g., various forms of comparison to the threshold may be used, as described previously). In one embodiment, the action performed can include quarantine of an application or other software (e.g., the same or similar software previously installed on other computing devices), such as described below in the section titled “Quarantine of Software Based on Analysis of Updated Device Data”.

In particular, a method for evaluating security during an interactive service operation by a mobile device includes launching, by a mobile device, an interactive service configured to access a server over a network during an interactive service operation, and generating a security evaluation based on a plurality of trust factors related to a current state of the mobile device, to a security feature of the application, and/or to a security feature of the network. When the security evaluation is generated, an action is performed based on the security evaluation. In some examples, these actions may be performed in response to the result from an evaluation of application authenticity.

In another embodiment, the first application is evaluated to determine its components and/or to identify behaviors associated with each of the components. This evaluation may provide some or all of the plurality of inputs used in the evaluating of the first application as was discussed above. In one embodiment, the components of the first application can be analyzed regarding similarity to previously-known components when assessing authenticity of the first application.

Behaviors associated with one or more components of the first application may include, for example, use of personal identifying information or device information, or any actions that can be taken by applications on the device, including user interface displays, notifications, network communications, and file reading or writing actions. In one embodiment, the evaluating of the first application may include analysis of components of the first application as described in the section above titled “Analyzing Components of an Application” (and also further optionally include analysis of components in other applications being compared to the first application).

In one embodiment, the first application above is a mobile application, which contains one or more components, such as were discussed previously above. The source of the components is indicated by a component identity. In one example, the component identity is an authorship (e.g., an identification of a developer of the first application), or the name of a component. Previously collected data associated with a given component may be stored in a database (e.g., as was discussed above).

In one embodiment, as discussed in more detail below, for a first application being installed on mobile device 149, components are identified and behaviors exhibited on mobile device 149 are attributed to one or more of the components. Any given component may be present in several different applications on mobile device 149 and/or may be common to numerous copies or versions of an application that have been installed on computing devices for large numbers of other users. In one embodiment, this commonality of component presence permits observing and collecting structural and behavioral data associated with the component. This known component data is stored in a database (e.g., database 1007 discussed above) and the component data is associated with a particular component identity. Thus, a data repository of prior component data can be used to compare to data more recently obtained for new components (such as those identified in newly-installed applications on a mobile device) when evaluating authenticity of the first application being installed.

More specifically, as characteristics and behaviors associated with components on mobile device 149 are identified and attributed, these characteristics and behaviors may be compared with known characteristics and behaviors stored either locally on mobile device 149 or stored remotely on authenticity server 1005 in database 1007. The results from such comparisons may be used as inputs for the evaluating of the first application being installed (e.g., for making decisions regarding disabling of one or more particular components that are being considered for a new installation on the mobile device).

In one embodiment, behavioral and/or structural characteristics of a component present in the first application may be identified (e.g., as was discussed in the section titled “Analyzing Components of an Application” above). This may be, for example, an application that is being installed on mobile device 149 and for which the user desires to determine if the application is from an authentic source (e.g., a known developer of an earlier or related version of the new application).

A comparison is made between the characteristics attributable to a component associated with the first package identifier and characteristics that have been identified in the new application. In one embodiment, if the identified characteristics are different from the characteristics associated with the first package identifier, then an alert is generated to indicate that the new application is not authentic. The characteristics associated with the first package identifier may be stored in a database of authenticity server 1005 and may be accessed when making this comparison (alternatively, the characteristics may be stored in a database and/or the comparison made or supported by an identity provider). For example, these attributable characteristics may be stored as component data associated with respective component identities.

Each component identity has identifying information for a given component that, if present in an application, indicates that the given component is present in the application. Examples of identifying information include the following: a package name prefix for a set of one or more classes, a class name, or a code fingerprint of a code block, method, class, package, etc.

Analysis of a new application being installed can be used to determine if identifying information for a given component identity matches the new application. If it matches, then the given component is present in the new application. This analysis can be done at the client (e.g., mobile device 149), the server (e.g., authenticity server 1005 or an identity provider), or using a combination thereof. This match that determines presence of the component in the new application can be used as an input in evaluating authenticity of the new application.

In a different embodiment, the client submits an identifier for the new application to a server (e.g., authenticity server 1005). This identifier may be, for example, a hash of the application binary code, a package name, a title of the application, or another form of application identifier. This server stores data regarding previously-analyzed applications. This data includes data associated with each component of a set of components for each of the previously-analyzed applications.

The server uses the identifier received from the client and compares this identifier to the data regarding previously-analyzed applications. If there is a match between the identifier and a previously-analyzed application, then the components for that matched application (obtained from the stored set of component data above) are determined to be in the new application. This result may be sent to the client. Also, this result may be used as one of the plurality of inputs in evaluating the application. In one example, this matching is done similarly as was described earlier above for the component analysis on a single device. The server sends information about these identified component identities back to the client (e.g., a notification that a new application is not authentic, or a score indicating the risk of a fraudulent application).

If the actual behavior and the known behavior for the component identity are different, this may indicate that the component in the new application is either a newer version or a tampered-version (i.e., is not authentic), and that the component needs to be reviewed again in order to update the database. Also, an alert may be generated based on the component information determined above. For example, an email may be sent to an analyst to do further analysis of a component, or an entry may be created in a work queue regarding further component analysis to be done. In another example, a notification is sent to the developer of a prior, known-good version of an application (e.g., to alert the developer that a fraudulent version of the application was identified).

Yet further additional non-limiting embodiments and examples are now discussed below. In a first embodiment, a developer registers through a website and provides its signing key. The developer claims authorship of a given application. An application that is signed with this key is considered to be authored by the developer. If the same application is signed by a different person or entity, then authenticity server 1005 alerts the developer that another entity is potentially illegitimate.

In one embodiment, authenticity server 1005 implements an authenticity component and a response component. An application is evaluated by the authenticity component and the result from the authenticity component is acted upon by the response component.

The authenticity component is a data set that may include a plurality of inputs used for evaluating an application. For example, these inputs may include that a developer signs an application, the prevalence of an application, the context or environment in which the application is observed, and a history of the signing key or certificate associated with an application.

The output from this evaluation may be a score such as, for example, 0.4 or 0.6 on a scale of 0.0-1.0. This multi-input authenticity component model provides a result that is acted upon by the response component. In one embodiment, the score is used to make a decision to set a state designation for an application to trusted or untrusted.

Another embodiment is based on probability, in which it is assumed that the most popular version of a given application is the legitimate one. Another embodiment assumes that the application that is published in Google Play, or another legitimate application store, is the legitimate or authentic one.

If another version of that same application is signed by a different person, then one of the applications is authoritative and the other is not. Authenticity server 1005 alerts the user the mobile device as to whether a version being installed is authentic.

In one embodiment, there are various ways to determine the authentic version of several versions of an application being distributed. In some cases the most popular version of an application may not be the authentic version of the application. Thus, a collection of factors are used from the exemplary inputs provided above (e.g., whether the application is published in the Google Play store, what is the context of the observation of the application, does the application have good online reviews over an extended predetermined time period, such as for example more than 6 months, etc.).

In one embodiment, the history of usage of a signature is considered as an input. For example, if a signing key is used to sign an application that authenticity server 1005 knows is bad, then if that same key signs other applications, those applications can also be assumed to be bad. This is like a signer reputation. If the signer is connected to prior suspicious activity, then the signer itself can be flagged as suspicious, and this fact considered in evaluating authenticity.

Another input may be the signing of different applications that authenticity server 1005 knows are provided from different developers. Another input is that the applications may communicate with different servers in different parts of the world—this indicates that one of the applications is not authentic and/or that there are potentially different developers.

In one embodiment, the first appearance of a signed application indicates authenticity. For example, the first person to sign and package that application is considered or assumed to be the authentic author. Authenticity server 1005 may have a huge network of devices (e.g., greater than 10,000 or 1 million devices) that report all the applications that they see. Therefore, presumably the legitimate application appears first as stored in database 1007. For example, the first time that the server sees an application, it will take the signature on that application and consider it to be the authentic signature.

In one embodiment, another input is the number of stars or other rating level that an application gets in Google Play or another store. For example the application may have been in a store for at least a predetermined time period (e.g., at least one or two years) and have a good rating. If the application has at least a predetermined number of ratings, for example, 300,000 ratings, and a star value over a given level, then the application is likely a legitimate version of the application.

In one embodiment, the longevity of the key is an input. The longevity may be a weighted user distribution based on time period and number of users. For example, if the application is observed for a year, but with very little users, that is a negative input. However, in contrast, having a million users over a year is a positive sign.

In one embodiment, various inputs are provided into a black box model used in authenticity evaluation. The inputs may include, for example, the signing key as registered by the developer itself, the usage history of a signing key, a history-weighted time of first appearance, an appearance in certain reputable application stores, a signing key used to sign applications that are substantially different, applications that talk to substantially different servers, applications that have substantially different code bases, and two applications that are signed and appear under different developer names in an authoritative marketplace such as Google Play.

In one embodiment, there are different interfaces provided for different users to provide information from authenticity server 1005 about the result from the evaluation of the authenticity. For the user (e.g., user of a mobile device), there may just be a warning provided (e.g., a popup that states that an application is not authentic). An alternative is a notice that indicates (e.g., an authentication seal that appears in the lower right-hand corner of a window) to the user that this is an authentic application. As one example, a user is presented and sees an authentication seal when a banking application is being installed by the user on its mobile device.

Permissions Policy Manager

Various embodiments related to managing permissions for computing devices are now described below. The generality of the following description is not limited by the various embodiments described above. In one embodiment, a permissions policy manager (e.g., executing on evaluation server 150) facilitates management of permissions decisions by a user and/or an administrator. In one embodiment, the permissions policy manager provides additional behavioral information (e.g., to a user device and/or administrator server). In one embodiment, permission decisions are supported by delegation of permission decisions (e.g., delegation to dynamic contextual enterprise policies).

As used herein, granting a “permission” includes, but is not limited to, permitting software to execute, implement, or otherwise use one or more functions of a computing device and/or access certain data (e.g., local or remote access to data). In one example, a permission controls data that an app is allowed to access. In some cases, the permission can be set manually by a user, developer, or administrator of the software. In other cases, the permission can be set automatically by another computing device or software. For example, MDM software can automatically change one or more permissions of user software on a computing device managed by the MDM software.

In one example, a user configures a user's intent on the user's mobile device by configuring one or more permissions on the device. As described above, in various examples, a user may express an intent as to how the user desires its device to behave. The intent may be explicitly provided by the user or may be otherwise determined (e.g., by reference to a database on an administrator server).

In one example, as mentioned above, a mobile device running the Android Marshmallow (Android 6.0) operating system implements an opt-in system; a mobile device running iOS also implements an opt-in system for permissions. A user is prompted to grant or deny individual permissions (e.g., access to the camera or microphone of a mobile device) to an application when the application is first used. The application stores the permission grants, which can be later revoked by the user.

In some prior approaches, permissions are typically handled on an all-or-nothing basis, in which a user cannot appropriately tailor the permissions to manage data privacy and control security risks. Further, users often do not have sufficient information on which to make an appropriate selection of permissions. For example, a user may not be familiar with an application that has been newly-installed, yet is making a request for numerous, broad permissions.

In many cases, the management of permissions for software on an Android device for earlier operating systems has been problematic. For example, a user has to accept all permissions requested by the app at time of installation. A user cannot say “yes” to one permission and “no” to another. Instead, this is an all-or-nothing situation. Users often do not know what an app will do with a particular permission. For example, a permission to “read contacts” does not inform a user whether the app will export all contacts, or simply help a user communicate with other people by reading a select few contacts. Moreover, the foregoing problem is not limited to Android devices, and can be exhibited in some cases by other computing devices (e.g., Apple iPhone devices or other computing devices).

In some later operating systems, the permission model is changed. For example, the user will not be asked to approve the permissions at time of installation, but rather when the app first attempts to use a permission. The user can say “yes” or “no” to individual permissions. The user can go to “settings” and change the user's prior decision regarding permissions.

But even with granular permissions as may be provided by later operating systems, a user often may not know what answer to provide to a permissions request. What is needed is a way for a user to obtain knowledge or advice as to how to make a decision, and/or to delegate the decision-making process to some other automated or manual process.

In addition, an enterprise may not wish certain activities of certain apps to happen while the user's device is (a) on the enterprise's physical premises, or (b) connected to the enterprise's network. What is needed is a way to allow an enterprise to specify a policy for those permissions that will be allowed to apps when they are “in the enterprise” in the sense of situations (a) or (b) above.

Additionally, an enterprise may not wish certain activities of certain apps to occur or happen while the user's device is (c) in a trusted location or on a known trusted network (e.g., a trusted VPN connection), or (d) in some other unknown location, or on an unknown or untrusted network. Also, (e) an enterprise may desire that the app perform certain activities when the app is being used to access enterprise data. For example, when Google Drive is used to access company data, the activities performed by the device can be limited by the method described in this disclosure. In addition, an enterprise can also limit an app's activities if biometric feedback from the device is used to determine that the individual operating the app or device is not the primary user. For example, a camera can be used to determine that the person operating the app or device is not the primary user. In another example, the actions (e.g., typing style, etc.) of the person operating the app or device can be used to determine that the person operating the app or device is not the primary user. What is needed is a way to allow an enterprise to specify a policy for what permissions should be allowed to apps when they are “not in the enterprise” in the sense of conditions (c) or (d) above.

Also, an enterprise in a BYOD (“bring your own device”) scenario may need to know what are the current permissions settings for one or more devices in the enterprise. What is needed is a way to obtain a report from each such device, for each app on each device, and for all defined permissions to determine what is the current status of that permission. Examples of such permission status may include the following: {question-not-yet-asked, question-asked-answered-yes, question-asked-answered-no, set-to-yes-via-device-settings, set-to-no-via-device-settings, set-to-ask-on-demand-via-device-settings, reset-to-yes-or-no-or-ask-by-enterprise-policy}

Various embodiments of the present disclosure discussed below provide one or more technological solutions to the above technical problems. In one embodiment, a computing system provides additional information when a permissions question is asked (e.g., when a popup screen on a mobile device requests that a user grant a permission) by the operating system (OS). For example, the additional information may include data regarding how the app will actually use the permission. In one example, this behavioral information has been obtained by running the app in the cloud, or in an emulator, or by tracking actual app performance/behavior on other devices.

In one example, the additional information can be structural and/or behavioral information regarding software (or similar software) as determined by an evaluation server (e.g., evaluation server 150 in the computing system of FIG. 1, 3, 4, or 5). In one example, the additional information can be data regarding software as stored in server app data 402, source database 406, and/or database 1007. The additional information can be provided directly to a user device, or be provided first to an administrator server, then to a user device. MDM software may filter, or do other processing using, the additional information received from an evaluation server to determine one or more actions to perform. One of these actions can be implementing a quarantine of the software that is requesting a permission.

In one embodiment, the additional information includes advice from an administrator server as to whether the permission should be granted or not. The additional information may include information from one or more people that had been preselected by the user, regarding what permissions choice was made for a particular app on their device. In an embodiment, any of the additional information can also be presented in the device settings application, and/or while the user is browsing an app store (e.g., via an app or a browser).

In one example, a user may have “subscribed” to set up a decision delegation to one or more administrators or users (e.g., the user delegates decision-making regarding granting or denying permission requests to a decision delegation device or process). For example, a subscription can include more than one person and can be in several different modes. One mode is ‘veto-mode’—any ‘no’ decision from a subscribed person causes an automatic ‘no’ on the user's device as to a particular permission request. Another mode is ‘any OK mode’—any ‘yes’ decision from a subscribed person causes an automatic ‘yes’ on the user's device. Another mode is ‘majority wins’—if the majority of subscribed-to people say ‘yes’, then the ‘yes’ decision is taken on the user's device (and similarly for ‘no’). A subscribed-to person's advice may be determined by what settings that person has used for that app on that person's device, or may be based on a manually-entered recommendation for permissions for that particular app, or may be based on blanket decisions for a particular permission, regardless of app.

In one embodiment, a question is actually posed to the subscribed-to person (e.g., “should my device say ‘yes’ or ‘no’ to permission ‘X’ for app ‘Y’?”). The answer(s) to the question are used, depending on mode, to set the answer on the user's device. The user's and device's current context (e.g., location, type and identifier of network connection, etc.) can be part of the permission request and used in the decision-making process.

In one embodiment, the user of the device can manually choose ‘yes’ or ‘no’ regardless of the subscription info; or the subscription may be ‘locked down’ so that the decision delegated has to be followed and will be automatically taken.

In one embodiment, an enterprise policy requires certain permission settings for particular apps, when the device is in a context of “in the enterprise” in the sense of conditions (a) or (b) above, or “not in the enterprise” in the sense of conditions (c) or (d) above. A server of the enterprise may refuse network or other services to the device if the permission settings are not in accord with the policy. Upon entry to condition (a) or (b) above, the permissions for apps are dynamically changed according to the enterprise policy. Upon exit from condition (a) or (b), the permissions are restored to their state prior to entry.

Upon entry to condition (c) or (d) above, the permissions for apps are dynamically changed according to the enterprise policy. Upon exit from condition (c) or (d), the permissions are restored to their state prior to entry. In one embodiment, an attestation as to the current state of the permissions can be provided by a component on the device to the enterprise server for admission control or authorization. Authentication to the enterprise may also be required.

In one embodiment, a report of current permissions settings for one or more apps on one or more computing devices (e.g., user mobile devices) is created and sent to an administrator server. In one embodiment, a test or analysis is made to compare the report of permissions settings to a policy (e.g., an enterprise policy) to identify what changes may be required, and/or what permissions configuration should be used or required.

In one embodiment, a security component on the user device can be empowered to automatically act for the user in changing or setting permissions for apps. In one example, this can be accomplished by using assistive or accessibility technology as may be provided by the operating system of the user device, and/or by a capability in the operating system by which the user can delegate such permissions security decisions to a specific app or component.

In some embodiments, depending on the capabilities provided in a particular version of a mobile device operating system, it may not be possible for a security application or other application software to make the permissions changes required to bring an app's permissions into compliance with a permissions policy, and/or otherwise configure permissions as described above. In such situations, one or more of the following can be used as “alternative actions” to a security app changing permissions on other apps:

-   -   Warn user that permissions on app do not comply (e.g., the         permissions violate an enterprise compliance policy in the         current (or any) context);     -   Prevent app from launching;     -   Remove app immediately or after a period of time if user has not         brought permissions into compliance with policy;     -   Blackhole network traffic from app while not in compliance (in         policy context);     -   Deny the user access to enterprise resources and or apps while         the user's device is not in compliance;     -   Notify an administrator or an administrative server of the         non-compliance event detected;     -   Any combination of the above alternative actions.

In one embodiment, a report is provided to a user device (e.g., for display of information to the user) or to an admin server (e.g., enterprise administrator) of all policies and apps associated with the user device, or only the policies or apps in compliance, or only the policies and apps not in compliance. Optionally, user privacy can be preserved by not reporting to an enterprise administrator the names or identifiers of the apps which are in/not in compliance. Rather, information is simply provided that there are apps in/not in compliance with the policy(ies). Optionally, information can be provided as to which categories the apps belong to. In situations in which there is both a personal and work profile/partition on the user device, the privacy reporting option can be used for apps installed in the personal partition, and the non-privacy preserving option can be used for apps installed in the work/corporate partition.

In one embodiment, for a situation in which there is both a personal and a work profile/partition on the device, the following can be performed: Action can be taken with respect to personal partition apps when they are used within a corporate context (as specified in a policy) such as, for example, in a corporate location, or while connected to a corporate network. The action taken can include dynamically modifying app permissions to be in compliance with a policy while the device is in a corporate context, and/or any of the “alternative actions” described above.

Any of the embodiments regarding user or other computing devices above may also be applied to a wearable device, or to a ‘thing’ device in the internet of things. For example, a device brought into an enterprise location or connected to an enterprise network may be required to have its permissions in compliance with the relevant permissions policies of the enterprise (e.g., as maintained by an admin server, and/or as controlled by MDM software).

FIG. 13 shows a computing system for evaluating software associated with a permission request, according to one embodiment. In some cases, a quarantine of the software is implemented based on determining a new security threat associated with the software. In one embodiment, the new security threat is associated with software that is making a permission request on mobile device 1312.

Evaluation server 1302 analyzes software associated with various computing devices that communicate with evaluation server 1302 over communication network 121. Evaluation server 1302 is an example of evaluation server 150 of FIG. 1.

In one embodiment, evaluation server 1302 determines that mobile device 1312 has requested a user to grant a permission for application 1316. In response to this determination, evaluation server 1302 causes sending of a communication to mobile device 1312. In one embodiment, the communication causes mobile device 1312 to perform one or more actions associated with permissions.

In one embodiment, permissions 1340 associated with various software on mobile device 1312 are stored in memory (not shown). In one embodiment, in response to receiving the communication above from evaluation server 1302, mobile device 1312 changes one or more of these permissions that are associated with application 1316. For example, these permissions can relate to storage of information, access to user information, and/or permissions regarding network access.

In one embodiment, evaluation server 1302 has previously analyzed application 1316 to determine one or more behaviors and/or other characteristics associated with application 1316. Evaluation server 1302 determines that the permission request corresponds to this behavior. In one example, this behavior may have been determined to be exhibited by other software on other devices that is similar to application 1316. The communication sent to mobile device 1312 above may also include data regarding these previously-determined characteristics associated with application 1316. In one embodiment, the communication sent to mobile device 1312 includes data associated with the decision delegation by mobile device 1312 regarding permissions. In one example, the communication instructs mobile device 1312 to grant or deny the permission.

In one embodiment, evaluation server 1302 determines a change of context for mobile device 1312. For example, the change of context can be a change from a home context to a work context (e.g., as determined based on device location and/or network access). In one example, the change of context is detected based on a network connection or attempted connection by mobile device 1312, and/or is based on a geographic location of mobile device 1312.

In response to determining the change of context, evaluation server 1302 sends a report to admin server 1310. For example, the report can indicate permissions settings on mobile device 1312. In response to receiving the report, admin server 1310 sends data to evaluation server 1302. Based on the data from admin server 1310, evaluation server 1302 causes mobile device 1312 to perform one or more actions. In one example, the action is implementing a quarantine of application 1316. In one example, the action is changing one or more permissions 1340. In one example, the action is denying access to a network.

In one embodiment, previously-analyzed application 1316 is to be installed on mobile device 1312. Evaluation server 1302 analyzes components 1324 and 1326 of application 1316 using data repository 1304. Application 1316 has a package name 1317, which is used as part of the analysis by evaluation server 1302. Data repository 1304 is an example of server app data 402 and/or source database 406 of FIG. 4. Data repository 1304 also is an example of database 1007 of FIG. 5.

In one embodiment, evaluation server 1302 determines that a risk level associated with application 1316 is below a predetermined threshold (e.g., the risk level may be determined using various of the approaches discussed above). In response, evaluation server 1302 authorizes granting of a permission for, and/or installation of, application 1316 on mobile device 1312.

At a later time, after installation of application 1316, evaluation server 1302 receives updated data over communication network 121. For example, the updated data can be data received from mobile device 1312, mobile device 1330, and/or another computing device that communicates with server 1302 over communication network 121. Mobile device 1312 and mobile device 1330 are examples of mobile device 149 of FIG. 1.

In one example, the updated data is received from application marketplace 123, service provider 170, identity provider 172, and/or developer server 160 of FIG. 1. In one example, the updated data is state data received from admin server 302 of FIG. 3.

In one embodiment, the updated data is received from mobile device 1330, which has requested an evaluation of application 1332 prior to installation on mobile device 1330. For example, mobile device 1330 may be attempting to download application 1332 from application marketplace 123 or developer server 160 of FIG. 1.

Evaluation server 1302 evaluates components 1334 and 1336 of application 1332 using data repository 1304. As a result of this evaluation, server 1302 provides a security assessment (e.g., provides a risk level from applying a set of rules). From the security assessment, server 1302 determines that a security threat is associated with application 1332 (e.g., the risk level exceeds a predetermined threshold). For example, server 1302 may determine that component 1334 is associated with malicious activity based on data previously received from other computing devices and stored in data repository 1304.

In response to determining this security threat, evaluation server 1302 performs one or more remediation or other actions. In one embodiment, server 1302 sends a message to mobile device 1312. The message causes mobile device 1312 to quarantine previously-installed application 1316.

In one embodiment, mobile device 1312 implements the quarantine using proxy 1314, which blocks selected network traffic. For example, proxy 1314 can block all traffic to or from mobile device 1312 that is associated with application 1316.

In one embodiment, proxy 1314 is coupled to physical network interface 1318. Proxy 1314 inspects some or all incoming or outgoing network packets passing through interface 1318 to identify packets associated with any source or destination address used by application 1316 and blocks this network traffic. However, proxy 1314 permits network traffic associated with other applications on mobile device 1312 to continue flowing as normal. In one example, physical network interface 1318 is a wireless communication interface.

In one embodiment, operating system 1320 of mobile device 1312 provides one or more application programming interfaces (APIs) that are used by proxy 1314 to inspect incoming or outgoing network packets. In one example, the API also permits setting up of a virtual private network (VPN), but the API is merely used to inspect packets without setting up a VPN.

In one embodiment, proxy 1314 is client-side software installed on mobile device 1312. For example, proxy 1314 can be an application installed by the user from application marketplace 123.

In one embodiment, admin server 1310 is used to manage numerous user devices including mobile device 1312 and/or mobile device 1330. In response to determining a security threat, evaluation server 1302 sends a message to admin server 1310. For example, the message indicates the new security threat.

In response to receiving the message, admin server 1310 can automatically quarantine application 1316 on mobile device 1312. In some cases, server 1302 provides a recommended response to admin server 1310 and/or a user of mobile device 1312. In some cases, admin server 1310 automatically quarantines application 1316 only if the user has failed to implement the recommended response.

In one embodiment, admin server 1310 executes MDM software 1311. MDM software 1311 implements policies 1342 on mobile device 1312 and/or mobile device 1330. In some cases, policies 1342 are changed in response to data regarding new security threats determined by evaluation server 1302. Then, permissions 1340 can be changed by MDM software 1311 based on the updated policies 1342.

In one embodiment, evaluation server 1302 determines one or more source or destination addresses 1350 that are used by application 1332 for sending or receiving data. In response to determining a security threat associated with application 1332, evaluation server 1302 communicates these source and/or destination addresses 1350 to proxy 1314 of mobile device 1312. Proxy 1314 blocks all data traffic to or from these source or destination addresses 1350.

In one embodiment, evaluation server 1302 determines a source of application 1332. For example, the source can be source server 1306. Server 1302 determines other software obtained from source server 1306. The other software is evaluated by server 1302 to determine whether a security threat is associated with any of the other software. If a threat is determined, then server 1302 implements a quarantine of the other software.

In one embodiment, evaluation server 1302 determines a domain 1308 that is associated with a source of software (e.g., application 1332). Server 1302 sends a query to a computing device (e.g., source server 1306) associated with domain 1308. In one example, the query requests verification of package name 1317 and/or other package names (e.g., package names for software currently being installed and/or previously installed on mobile devices 1312, 1330).

In some cases, in response to the query, evaluation server 1302 receives a communication indicating that package name 1317 and/or other package names are not valid. In response, server 1302 implements a quarantine of software associated with any package name indicated as not being valid.

In one embodiment, the query sent to source server 1306 includes both the package name 1317 and a public key associated with application 1316. In one example, the private key associated with the public key was used to sign application 1316.

In one example, evaluation server 1302 determines that a particular source (e.g., a website or domain) is malicious or associated with phishing activity. Evaluation server 1302 crawls the source or site to discover any mobile apps (e.g., APKs or IPAs) made available by the source or site, downloads the mobile apps, and then performs analysis for security threats.

In one embodiment, when a risk level of an application exceeds a predetermined threshold, evaluation server 1302 causes the application to be quarantined. For example, all incoming traffic and/or outgoing traffic associated with the application is destroyed or discarded (e.g., blackholed). For example, a message is sent to proxy 1314 that implements the foregoing.

In one embodiment, when a risk level of an application exceeds a predetermined threshold, evaluation server 1302 causes a “sandbox” to be created for that application. This is, for example, to significantly limit damage that the application can cause. Sandboxing can be initiated by sending a message to mobile device 1312.

In one embodiment, a policy stored at evaluation server 1302 is updated based on discovery and characterization of a new security threat. When evaluating software, server 1302 generates a set of queries and runs the queries through data repository 1304. In one example, data repository 1302 contains state information for all devices managed by admin server 1310 using MDM software 1311.

In some cases, the policy is updated in response to a communication from admin server 1310. For example, admin server 1310 may receive data from mobile device 1312 when configuring or otherwise communicating with mobile device 1312 using MDM software 1311. Admin server 1310 may also receive updated data from mobile device 1330 (e.g., data regarding component 1334 or 1336), and share such data with server 1302, which uses this data to update the policy.

In response to the queries run through data repository 1304, a set of candidate devices that sufficiently match the queries is provided as a result. For example, the candidate devices match the queries if the devices satisfy one or more rules. In one example, the devices match if they contain an identified component (e.g., component 1334, 1336, 1324, and/or 1326), or contain a component similar to an identified component. In one example, the devices match if they are provided as a result from a machine learning model. In one example, a device matches if an output from a model or rule exceeds a predetermined threshold.

In some embodiments, evaluation server 1302 performs further assessment of the set of candidate devices. For example, the further assessment can be based on policies 1342 of the admin server 1310. For example, the further assessment can be based on additional rules, models, and/or data collected from mobile devices over communication network 121. In one example, the further assessment comprises evaluation of software and/or software components, such as was described in various embodiments above. In one example, the further assessment is based on state data received from admin server 302. In one example, the further assessment is based on data received from identity provider 172.

In one embodiment, the further assessment above provides a subset of the candidate devices as being at-risk devices. For example, in an enterprise model, evaluation server 1302 sends a message to admin server 1310 that indicates the subset of at-risk devices (e.g., a set of device identifiers and corresponding security threat data, etc.).

In one embodiment, a message is sent to each of the devices in the subset of at-risk devices. The message may include an identifier of the source of the threat, an assessment of the threat, a context for the threat, and a recommended response.

Each device that receives the above message sends a reply message if the recommended response was performed. For example, the recommended response is disabling of software (e.g., by a user via a user interface of the user's device) and/or changing a permission on a user device (e.g., automatically by MDM software 1311, or by manual input via a user in response to a prompt displayed as an alert on the user's device).

In one embodiment (e.g., in an enterprise model), evaluation server 1302 informs admin server 1310 regarding those of the subset of at-risk devices for which the recommended response has not been performed or completed.

In one embodiment, the evaluation server 1302 and/or admin server 1310 sends a message to each of the devices that has not completed the recommended response. For example, the message instructs the device to quarantine the source of the threat. The quarantine can be implemented, for example, by deleting the software, uninstalling software, preventing the software from launching, and/or changing a permission associated with the software.

In one embodiment, upon receiving the instruction (e.g., the message above) to quarantine the software, the device still at-risk uses (e.g., establishes and/or launches) a client-side proxy on the device to prevent the identified threat from exchanging information, while allowing other apps on the device to continue exchanging information. In one embodiment, the proxy is capable of identifying the source and/or destination of packets being sent and received by the malicious software on the device. In one example, the source and/or destination is source or destination address 1350. In one example, the proxy is proxy 1314.

FIG. 14 shows a computing system for managing permissions associated with one or more computing devices, according to one embodiment. Evaluation server 1408 executes a policy manager 1406 that manages permissions associated with various computing devices including mobile device 1405 and mobile device 1407. Evaluation server 1408 is an example of evaluation server 150 of FIG. 1 or evaluation server 1302 of FIG. 13. Evaluation server 1408 stores policies 1416 in memory (not shown). Policies 1416 are implemented by policy manager 1406 on mobile devices 1405 and 1407.

In one embodiment, policies 1416 correspond to an enterprise policy. Permissions 1409 for various software on mobile device 1405 are maintained by policy manager 1406 to be in compliance with policies 1416. In one example, admin server 1310 transmits data regarding policies 1342 to evaluation server 1408, which data is used to update policies 1416 as regards acceptable permissions for mobile devices 1405 and 1407.

In one embodiment, evaluation server 1408 determines a change of context for mobile device 1405. For example, evaluation server 1408 may determine that mobile device 1405 is attempting to connect to network 1404. In another example, evaluation server 1408 may determine that mobile device 1405 is attempting to install software from application marketplace 1402.

In response to determining the change of context, evaluation server 1408 determines a configuration of permissions 1409. Evaluation server 1408 revokes one or more permissions for software on mobile device 1405 based on the change of context. Security component 1412 resides on mobile device 1405 and can be used to revoke or deny permissions on mobile device 1405. In one embodiment, security component 1412 automatically implements a decision delegation previously made by mobile device 1405 regarding permissions. For example, mobile device 1405 can delegate permission decisions to choices made by mobile device 1407. In one embodiment, security component 1412 also can implement changes to a configuration 1410 of operating system 1320.

At a later time, evaluation server 1408 determines a change of context for mobile device 1405 to a different context. For example, the change of context may be termination of access to network 1404. In response to determining this change of context, evaluation server 1408 causes restoring of a permission for software on mobile device 1405. In one example, the permission restored can be a permission that was previously revoked when mobile device 1405 accessed network 1404.

In one embodiment, mobile device 1407 includes a personal partition 1401 and a work partition 1408. Permissions 1414 correspond to apps 1418 that reside in personal partition 1401. Permissions 1416 corresponds to apps 1420 that reside in work partition 1403. Management of configuration for permissions of software can be handled differently depending on whether the software resides in personal partition 1401 or work petition 1403. For example, to maintain user privacy, data regarding apps 1418 in personal partition 1401 that is reported to evaluation server 1408 can be reduced as compared to reporting of data for apps 1420 in work partition 1403. In one embodiment, a proxy (e.g., proxy 1314) blocks or allows app access to certain device resources such as network traffic, camera, contact, photographs, etc.

In one embodiment, a context of a device is monitored. In one example, context information is collected from a mobile device and analyzed. Based on this analysis, settings and/or behavior of applications and device components, and/or policies enforced on the device, can be modified. In one example, an evaluation server determines whether a new context requires a policy change for apps in current use by a user on a mobile device, and then dynamically updates the access policy when and/or as appropriate. For example, the access policy can be updated by changing the app permissions (e.g., changed by a proxy (e.g., proxy 1314)), or alternative techniques like blocking keyboard input, or displaying a clear overlay that prevents data entry.

In one embodiment, the context of a device includes conditions under which device usage, non-usage, or both occur. The conditions can include time, date, location, speed (e.g., tracking the movement of the device), and other factors (e.g., altitude, or temperature). In one example, a current context is determined and a subsequent or later context is predicted during the current context so that a function of the device can be controlled for the subsequent context.

In one embodiment, context is used to automatically configure a mobile device. For example, a system may determine that the current context includes the user attending a meeting in a meeting room at his work location. Based on the current context, the system (e.g., an evaluation server or an administrator server) may automatically activate one or more policies that allow phone calls from family or emergency calls (e.g., call is being placed from a hospital), but block other phone calls, disable mobile device sounds (e.g. chimes), close background applications, and disable location service. Determining context allows the system to discover what the user is currently doing, anticipate or predict what the user is likely to do next, and configure the mobile device accordingly (e.g., by changing a policy, modifiying a component, etc.).

In one embodiment, there are different levels of context abstraction. For example, the context “commute to work” may be further detailed as “commute to work in car” or “commute to work on train.” These different levels of abstraction allow the system to provide very fine-grained control for adapting device behavior (e.g., changing policy, etc.). Context can include geographical location information, applications used, time and date information, and other information.

In one embodiment, usage information associated with a mobile device is collected. The collected information is used to build a usage model for a user of the mobile device that describes a set of contexts in which the mobile device is used. User activity on the device is monitored and the model is consulted to determine a first time after which it will be acceptable for a policy to change.

FIG. 15 shows a method for managing a permission for software based on a change of context for a computing device, according to one embodiment. For example, the method of FIG. 15 can be implemented in the system of FIG. 1, 3, 4, 5, 13, or 14.

The method of FIG. 15 can be performed by processing logic that can include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.

In some embodiments, the method of FIG. 15 is performed at least in part by one or more processors of evaluation server 1408 of FIG. 14. In one embodiment, evaluation server 1408 is implemented using the processors and memory of FIG. 11 or 12.

Although shown in a particular sequence or order, unless otherwise specified, the order of the processes can be modified. Thus, the illustrated embodiments should be understood only as examples, and the illustrated processes can be performed in a different order, and some processes can be performed in parallel. Additionally, one or more processes can be omitted in various embodiments. Thus, not all processes are required in every embodiment. Other process flows are possible.

At block 1501, a change of context for a computing device from a first context to a second context is determined. For example, evaluation server 1408 determines that mobile device 1405 has changed from a home context to a work context.

At block 1503, in response to determining the change of context, a permission for software on the computing device is revoked. For example, evaluation server 1408 causes revoking of a permission for software on mobile device 1405. In one example, the permission is revoked in response to determining that mobile device 1405 is accessing network 1404.

At block 1505, a change of context for the computing device from the second context to a different context is determined. For example, evaluation server 1408 determines that mobile device 1405 has changed its context from a work context back to a home context, or to another non-work context.

At block 1507, in response to determining the change of context to the different context, the permission for the software is restored. For example, security component 1412 receives a communication from evaluation server 1408 that causes mobile device 1405 to restore a permission for application 1316.

In one embodiment, a method comprises: determining, by a first computing device (e.g., evaluation server 1408), a change of context for a second computing device (e.g., mobile device 1405) from a first context to a second context (e.g., from a home context to an enterprise/work context); in response to determining the change of context to the second context, revoking a permission for software (e.g., one of permissions 1409 for application 1316) on the second computing device; determining, by the first computing device, a change of context for the second computing device from the second context to a different context; and in response to determining the change of context to the different context, restoring the permission for the software.

In one embodiment, the different context is the first context or a third context.

In one embodiment, determining the change of context to the second context comprises detecting a connection by the second computing device to a network.

In one embodiment, determining the change of context to the second context comprises determining a geographic location of the second computing device.

In one embodiment, revoking the permission for the software is implemented automatically by a policy manager (e.g., policy manager 1406) executing on the first computing device.

In one embodiment, the method further comprises storing a permissions policy (e.g., one or more of policies 1416, and/or policies 1342) that is enforced for devices determined to be in the second context, and the permission for the software is revoked due to a lack of compliance with the permissions policy.

In one embodiment, the method further comprises: determining, by the first computing device, a behavior associated with the software; and in response to determining the change of context to the second context, sending a communication to the second computing device, the communication including data regarding the behavior.

In one embodiment, the second computing device has made a delegation regarding permissions, and revoking the permission for the software is implemented in conformance with the delegation.

In one embodiment, the method further comprises: receiving, in order to manage permissions of the second computing device in conformance with the delegation, a selection of persons or computing devices; and receiving first data associated with the person or the computing devices; wherein revoking the permission for the software is based on the first data.

In one embodiment, the first data comprises: permission configurations made by the selected persons; or permission configurations of the selected computing devices.

In one embodiment, a security component (e.g., security component 1412) resides on the second computing device, the security component has been authorized by a user or administrator (e.g., admin server 1310) of the second computing device to change permissions, and revoking the permission for the software is automatically implemented by the security component.

In one embodiment, the method further comprises: evaluating, by the first computing device, the software; and determining that the software is associated with a security threat; wherein revoking the permission for the software is based on determining that the software is associated with the security threat.

In one embodiment, evaluating the software is performed in response to determining the change of context to the second context; evaluating the software comprises evaluating a behavior of the software to determine that the behavior is associated with the security threat; and revoking the permission for the software disables the behavior by the software on the second computing device.

FIG. 16 shows a method for managing a permission for software associated with a request for a user to grant the permission, according to one embodiment. For example, the method of FIG. 16 can be implemented in the system of FIG. 1, 3, 4, 5, 13, or 14.

The method of FIG. 16 can be performed by processing logic that can include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.

In some embodiments, the method of FIG. 16 is performed at least in part by one or more processors of evaluation server 1408 of FIG. 14. In one embodiment, evaluation server 1408 is implemented using the processors and memory of FIG. 11 or

Although shown in a particular sequence or order, unless otherwise specified, the order of the processes can be modified. Thus, the illustrated embodiments should be understood only as examples, and the illustrated processes can be performed in a different order, and some processes can be performed in parallel. Additionally, one or more processes can be omitted in various embodiments. Thus, not all processes are required in every embodiment. Other process flows are possible.

At block 1601, a behavior associated with software is determined. For example, evaluation server 1408 determines a behavior for application 1316. In one example, the behavior is determined prior to installing application 1316 on mobile device 1405. In one example, the behavior is determined after application 1316 has been installed on mobile device 1405. In one example, the behavior is determined in response to a request for permission made by application 1316.

In one example, a behavior for software is determined from component and/or behavior analysis of software as described in various embodiments above. In some embodiments, a component analysis of the software (e.g., an application) can be used to relate components of the software to a database of characteristics for known bad components. If the component in the software corresponds to a known bad component, the behavior can be identified as malicious.

At block 1603, it is determined that a user device has requested a user grant permission for the software. The permission corresponds to the behavior determined to be associated with the software. For example, evaluation server 1408 determines that the request for permission made by application 1316 corresponds to a malicious behavior determined to be associated with application 1316.

At block 1605, in response to determining that the user device has requested the user grant the permission for the software, a communication is sent to the user device. For example, evaluation server 1408 determines that application 1316 has requested the user grant a permission. In response, evaluation server 1408 sends a communication to mobile device 1405. In another embodiment, evaluation server 1408 sends a communication to admin server 1310, which causes admin server 1310 to send the communication to mobile device 1405. In one example, the communication causes mobile device 1405 to take one or more remediation and/or preventive actions as described above. In other embodiments, alternatively or additionally, one or more other responsive actions can be performed. For example, in addition to sending a communication to mobile device 1405, additional communications can be sent to other computing devices such as admin server 1310, application marketplace 1402, and/or mobile device 1407.

In one embodiment, a system comprises: at least one processor; and memory storing instructions configured to instruct the at least one processor to: determine a behavior associated with software (e.g., evaluation server 1408 determines a behavior associated with application 1316) (e.g., evaluation server 1408 determines behavior associated with one of apps 1418 or apps 1420); determine that a user device has requested a user grant a permission for the software, wherein the permission corresponds to the behavior (e.g., application 1316 makes a request for permission to the user of a mobile device 1405); and in response to determining that the user device has requested the user grant the permission, send a communication to the user device, the communication including at least one of: data regarding the behavior, data from an administrator device regarding the permission, or data associated with a decision delegation by the user device regarding permissions. In one example, evaluation server 1408 sends a communication to mobile device 1405. In one example, admin server 1310 sends a communication to mobile device 1405 in response to a communication from evaluation server 1408 indicating that application 1316 has made a request for permission.

In one example, a communication is sent to mobile device 1405 by evaluation server 1408 or admin server 1310. The communication includes data regarding a decision delegation previously made by mobile device 1405. For example, the data regarding the decision delegation indicates how mobile device 1407 and/or other computing devices have handled the same permission request.

In one embodiment, the instructions are further configured to instruct the at least one processor to: determine a change of context for the user device; and in response to determining the change of context, revoke the permission for the software on the user device.

In one embodiment, the communication includes the data from the administrator device, and the instructions are further configured to instruct the at least one processor to: determine permissions settings for the user device; and in response to determining the change of context, send a report of the permissions settings to the administrator device; wherein the data from the administrator device is generated by the administrator device in response to receiving the permissions settings, and wherein sending the communication to the user device causes the user device to deny or revoke the permission for the software. For example, admin server 1310 receives a report from evaluation server 1408. The report includes permissions settings for mobile device 1405. The admin server 1310 generates data based on the report from evaluation server 1408. This data includes an acceptable permissions configuration for mobile device 1405. Data regarding the permissions configuration is sent by admin server 1310 or evaluation server 1408 to mobile device 1405. In one example, one or more permissions are revoked on mobile device 1405 (e.g., by security component 1412) in response to receiving the permissions configuration data.

In one embodiment, the communication includes the data associated with the decision delegation, and the instructions are further configured to instruct the at least one processor to: receive, from the user device and for managing permissions of the user device in conformance with the decision delegation, a selection of persons or computing devices; and receive data regarding decisions for the permission made by the selected persons or computing devices; wherein sending the communication causes the user device to deny or revoke the permission. In one example, the user of mobile device 1405 makes a selection of other persons to establish a decision delegation. Evaluation server 1408 receives and stores this selection for the decision delegation. Evaluation server 1408 monitors decisions for permissions made by the selected persons. The communication sent to mobile device 1405 includes data to manage permissions on mobile device 1405 consistent with the decision delegation.

In one embodiment, sending the communication to the user device causes the user device to perform at least one of: providing a warning to the user regarding the permission; preventing the software from launching; removing the software from the user device; preventing network traffic from the software while the permission is not in compliance with a policy enforced by the administrator device; or denying access to a network. For example, the communication sent to mobile device 1405 causes security component 1412 to blackhole all traffic to or from application 1316, and/or deny access to network 1404.

In one embodiment, a non-transitory computer-readable storage medium stores computer-readable instructions, which when executed, cause a first computing device (e.g., evaluation server 1408) at least to: determine a change of context for a second computing device (e.g., mobile device 1405); in response to determining the change of context, send a report to an administrator device regarding permissions settings on the second computing device, wherein first data is generated by the administrator device based on the permissions settings; receive the first data from the administrator device; and in response to receiving the first data, cause the second computing device to perform at least one action.

In one embodiment, the at least one action comprises at least one of: providing a warning to a user of the second computing device regarding a permission; preventing software from launching; removing software from the second computing device; preventing network traffic from software on the second computing device while a permission of the software is not in compliance with a policy enforced by the administrator device (e.g., one of policies 1342 of admin server 1310); or denying access to a network for which access is controlled by the first computing device.

In one embodiment, permissions management is implemented by an application performing policy management (e.g., MDM software 1311 manages mobile devices 1405 and 1407, including permissions management as described above). In one embodiment, permissions management is implemented by an application facilitating MDM in performing the policy management (e.g., policy manager 1406 of evaluation server 1408 supports MDM software 1311 in handling permissions management for mobile devices 1405 and 1407).

In one embodiment, permissions can be changed based on geographic location. For example, when a mobile device is in a building where a user works, microphone and/or camera permissions are turned off for certain designated (or for all) apps on the mobile device. Other functions can be turned off such as, for example, gyroscope and/or accelerometer functions.

In one embodiment, a report is generated based on any change in the permissions decision (e.g., by the device user). For example, security component 1412 monitors permissions decisions on mobile device 1405 and sends data regarding these decisions to evaluation server 1408. In one embodiment, an alert is generated for an administrator server (e.g., admin server 1310) based on the change in permissions decision.

In one embodiment, decisions about a configuration for an operating system (e.g. configuration 1410 for operating system 1320) are made the same as or similarly as described above for permissions for software (e.g., in a way similar to how application permission decisions are handled above). In one embodiment, the operating system configuration decisions are automatically made for devices/things in the Internet of things (e.g., decisions are made in the absence of or without manual user input). In one example, security component 1412 is used on devices in the Internet of things.

In one embodiment, evaluation server 1302 determines a new security threat associated with an application that is requesting a permission or being downloaded to a mobile device. In one example, the security threat is the presence of the application on a computing device. In another example, the security threat is a vulnerability associated with the application.

In one embodiment, evaluation server 1302 queries data repository 1304 based on new data received from a mobile device 1330. In one example, the query is based on a package name or a package signer of application 1332. In response to the query, data repository 1304 returns a set of unique identifiers corresponding to computing devices. In one example, the identifier is a token identifier, an IMEI code, or a hardware identifier. For example, the token identifier can be used by MDM software 1311 to push data to a mobile device, or uninstall an application from the mobile device.

In one embodiment, a user of mobile device 1312 grants permission to proxy 1314 that permits proxy 1314 to block network traffic associated with application 1316 and/or other malicious software detected on mobile device 1312. In one example, proxy 1314 implements one or more APIs provided by operating system 1320 for implementing virtual private networks. Even though proxy 1314 does not in certain embodiments itself implement a virtual private network, the API permits proxy 1314 to inspect all incoming or outgoing network packets and decide whether to pass each packet to or from physical interface 1318. In some embodiments, proxy 1314 can modify the network packets. For example, proxy 1314 can append data to the packet that corresponds to a security threat detected by evaluation server 1302.

In one embodiment, an evaluation server determines a change of context to a new context. The evaluation server causes a permission to be revoked on a mobile device so long as the new context exists. When it is determined that the new context no longer exists, then the evaluation server permits the mobile device to restore the permission that was revoked.

In one embodiment, a decision delegation is based on a defined population of users. For example, the permission decision can be based on decisions made by a predetermined portion of the population, such as for example a majority. In another embodiment, a decision delegation can be based on an output from a machine learning model. Inputs to the machine learning model can be based on characteristics observed for software on other computing devices. In one embodiment, decision delegation is based on a statistical recommender system.

In one embodiment, a security component on a computing device uses an application programming interface that permits changes in permissions for other software on the computing device. In one example, the application programming interface is provided by the operating system.

In one embodiment, the operating system of a computing device does not directly permit permissions changes by the security component or another application on the computing device. However, the operating system provides assistive technology which supports a disabled user (e.g., a blind user) in navigating a user interface and making manual selections therein. The security component above can use the assistive technology in order to implement permission changes for software on the computing device.

CLOSING

In this description, various functions and operations may be described as being performed by or caused by software code to simplify description. However, those skilled in the art will recognize what is meant by such expressions is that the functions result from execution of the code by a processor, such as a microprocessor. Alternatively, or in combination, the functions and operations can be implemented using special purpose circuitry, with or without software instructions, such as using an Application-Specific Integrated Circuit (ASIC) or a Field-Programmable Gate Array (FPGA). Embodiments can be implemented using hardwired circuitry without software instructions, or in combination with software instructions. Thus, the techniques are limited neither to any specific combination of hardware circuitry and software, nor to any particular source for the instructions executed by a computing device.

While some embodiments can be implemented in fully functioning computers and computer systems, various embodiments are capable of being distributed as a computing product in a variety of forms and are capable of being applied regardless of the particular type of machine or computer-readable media used to actually effect the distribution.

At least some aspects disclosed can be embodied, at least in part, in software. That is, the techniques may be carried out in a computing device or other system in response to its processor, such as a microprocessor, executing sequences of instructions contained in a memory, such as ROM, volatile RAM, non-volatile memory, cache or a remote storage device.

Routines executed to implement the embodiments may be implemented as part of an operating system, middleware, service delivery platform, SDK (Software Development Kit) component, web services, or other specific application, component, program, object, module or sequence of instructions referred to as “computer programs.” Invocation interfaces to these routines can be exposed to a software development community as an API (Application Programming Interface). The computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects.

A machine readable medium can be used to store software and data which when executed by a computing device causes the device to perform various methods. The executable software and data may be stored in various places including for example ROM, volatile RAM, non-volatile memory and/or cache. Portions of this software and/or data may be stored in any one of these storage devices. Further, the data and instructions can be obtained from centralized servers or peer to peer networks. Different portions of the data and instructions can be obtained from different centralized servers and/or peer to peer networks at different times and in different communication sessions or in a same communication session. The data and instructions can be obtained in entirety prior to the execution of the applications. Alternatively, portions of the data and instructions can be obtained dynamically, just in time, when needed for execution. Thus, it is not required that the data and instructions be on a machine readable medium in entirety at a particular instance of time.

Examples of computer-readable media include but are not limited to recordable and non-recordable type media such as volatile and non-volatile memory devices, read only memory (ROM), random access memory (RAM), flash memory devices, removable disks, magnetic disk storage media, optical storage media (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks (DVDs), etc.), among others. The computer-readable media may store the instructions.

The instructions may also be embodied in digital and analog communication links for electrical, optical, acoustical or other forms of propagated signals, such as carrier waves, infrared signals, digital signals, etc. However, propagated signals, such as carrier waves, infrared signals, digital signals, etc. are not tangible machine readable medium and are not configured to store instructions.

In general, a tangible or non-transitory machine readable medium includes any mechanism that provides (e.g., stores) information in a form accessible by a machine (e.g., a computer, network device, personal digital assistant, manufacturing tool, any device with a set of one or more processors, etc.).

In various embodiments, hardwired circuitry may be used in combination with software instructions to implement the techniques. Thus, the techniques are neither limited to any specific combination of hardware circuitry and software nor to any particular source for the instructions executed by a computing device.

Although some of the drawings illustrate a number of operations in a particular order, operations which are not order dependent may be reordered and other operations may be combined or broken out. While some reordering or other groupings are specifically mentioned, others will be apparent to those of ordinary skill in the art and so do not present an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.

In the foregoing specification, the disclosure has been described with reference to specific exemplary embodiments thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense. 

What is claimed is:
 1. A method, comprising: receiving, by a processor, context data associated with a context for a computing device; identifying, based on the context data, a first policy that is applicable for the context of the computing device, the first policy having policy characteristics regarding access permissions for software installed on computing devices; identifying a second policy implemented on the computing device, the second policy having policy characteristics regarding an access permission for first software on the computing device; comparing the policy characteristics of the first policy to the second policy, and determining that the access permission for the first software does not comply with the first policy; and based on determining that the access permission for the first software does not comply with the first policy, applying the first policy to the computing device to revoke the access permission for the first software.
 2. The method of claim 1, further comprising: receiving additional context data associated with the context for the computing device; determining, based on the additional context data, that the context has changed; and in response to determining that the context has changed, restoring the access permission for the first software.
 3. The method of claim 1, wherein the context data comprises data regarding a connection by the computing device to a network.
 4. The method of claim 1, wherein the context data comprises data regarding a geographic location of the computing device.
 5. The method of claim 1, wherein revoking the access permission for the first software is implemented automatically by a policy manager.
 6. The method of claim 1, further comprising sending a report to an administrator server that manages policy for a plurality of computing devices including the computing device, the report indicating that the access permission for the first software has been revoked.
 7. The method of claim 1, further comprising: determining, by the processor, a behavior associated with the first software; and in response to determining that the access permission for the first software does not comply with the first policy, sending a communication to the computing device, the communication including data regarding the behavior.
 8. The method of claim 1, wherein the computing device has made a delegation regarding permissions, and wherein revoking the access permission for the first software is implemented in conformance with the delegation.
 9. The method of claim 8, further comprising: receiving, in order to manage permissions of the computing device in conformance with the delegation, a selection of persons or computing devices; and receiving first data associated with the person or the computing devices; wherein revoking the access permission for the first software is based at least in part on the first data.
 10. The method of claim 9, wherein the first data comprises: permission configurations made by the selected persons; or permission configurations of the selected computing devices.
 11. The method of claim 1, wherein a security component resides on the computing device, the security component has been authorized by a user or administrator of the computing device to change permissions, and revoking the access permission for the first software is automatically implemented by the security component.
 12. The method of claim 1, further comprising: evaluating, by the processor, the first software; and determining that the first software is associated with a security threat; wherein revoking the access permission for the first software is based at least in part on determining that the first software is associated with the security threat.
 13. The method of claim 12, wherein: evaluating the first software is performed in response to determining that the access permission for the first software does not comply with the first policy; evaluating the first software comprises evaluating a behavior of the first software to determine that the behavior is associated with the security threat; and revoking the access permission for the first software disables the behavior by the first software on the computing device.
 14. A system, comprising: at least one processor; and memory storing instructions configured to instruct the at least one processor to: determine a behavior associated with software; determine that a user device has requested a user grant a permission for the software, wherein the permission corresponds to the behavior; and in response to determining that the user device has requested the user grant the permission, send a communication to the user device, the communication including at least one of: data regarding the behavior, data from an administrator device regarding the permission, or data associated with a decision delegation by the user device regarding permissions.
 15. The system of claim 14, wherein the instructions are further configured to instruct the at least one processor to: determine a change of context for the user device; and in response to determining the change of context, revoke the permission for the software on the user device.
 16. The system of claim 15, wherein the communication includes the data from the administrator device, and the instructions are further configured to instruct the at least one processor to: determine permissions settings for the user device; and in response to determining the change of context, send a report of the permissions settings to the administrator device; wherein the data from the administrator device is generated by the administrator device in response to receiving the permissions settings, and wherein sending the communication to the user device causes the user device to deny or revoke the permission for the software.
 17. The system of claim 14, wherein the communication includes the data associated with the decision delegation, and the instructions are further configured to instruct the at least one processor to: receive, from the user device and for managing permissions of the user device in conformance with the decision delegation, a selection of persons or computing devices; and receive data regarding decisions for the permission made by the selected persons or computing devices; wherein sending the communication causes the user device to deny or revoke the permission.
 18. The system of claim 14, wherein sending the communication to the user device causes the user device to perform at least one of: providing a warning to the user regarding the permission; preventing the software from launching; removing the software from the user device; preventing network traffic from the software while the permission is not in compliance with a policy enforced by the administrator device; or denying access to a network.
 19. A non-transitory computer-readable storage medium storing computer-readable instructions, which when executed, cause a processor to: receive context data associated with a context for a computing device; identify, based on the context data, a first policy that is applicable for the context of the computing device, the first policy having policy characteristics regarding access permissions for software installed on computing devices; identify a second policy implemented on the computing device, the second policy having policy characteristics regarding an access permission for first software on the computing device; compare the policy characteristics of the first policy to the second policy, and determine that the access permission for the first software does not comply with the first policy; and based on determining that the access permission for the first software does not comply with the first policy, apply the first policy to the computing device to revoke the access permission for the first software.
 20. The non-transitory computer-readable storage medium of claim 19, wherein the instructions further cause the processor to, in response to determining that the access permission for the first software does not comply with the first policy, perform at least one of: providing a warning to a user of the computing device regarding a permission; preventing the first software from launching; removing the first software from the second computing device; preventing network traffic from the first software on the computing device; or denying access to a network by the computing device. 